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(54) Electronic watermark system, electronic information distribution system, and image filing 
apparatus 



(57) Disclosed is an electronic watermark method, 
used for a network, comprising a plurality of entities, 
wherein provided weparately are an entity for embed- 



ding an electronic watermark in encrypted data that are 
exchanged by said plurality of entities, and an entity for 
performing an encryption process and a corresponding 
decryption process. 
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Description 



[0001] The present invention relates to an electronic 
watermark system, an electronic information distribution 
system and an image filing apparatus, and in particular 
to an electronic watermark technique for protecting a 
copyright for digital information, such as moving picture 
data, static picture data, audio data, computer data and 
computer programs, to a multimedia network for em- 
ploying such an electronic watermark technique for the 
distribution of digital information, and to an image filing 
apparatus that employs such a multimedia network. 
[0002] As a consequence of recent developments 
concerning computer networks and the availability of in- 
expensive high-performance computers, electronic 
transactions for trading products across a network have 
become popular. Products for such transaction can be 
digital data, including pictures, for example. 
[0003] However, since a large number of complete 
copies of digital data can be easily prepared, a user who 
purchases digital data would be able to illegally prepare 
copies having the same quality as the original, and could 
then distribute the copied data. As a result, a warranta- 
ble price would not be paid to the owner of the copyright 
for the digital data or to a person (hereinafter referred 
to as a "seller") by whom sale of the digital data is au- 
thorized by the copyright owner, and the infringement of 
the copyright would occur. 

[0004] Once a copyright holder or a seller (hereinafter 
a person who legally distributes digital data is generally 
called a "server") has transmitted digital data to a user, 
full protection against the illegal copying of data is not 
possible. 

[0005] Therefore, an electronic watermark technique 
has been proposed for use instead of a method for the 
direct prevention of illegal copying. According to the 
electronic watermark technique, a specific process is 
performed for the original digital data and copyright in- 
formation concerning the digital data, or user informa- 
tion, is embedded in the digital data, so that when an 
illegal copy of the digital data is discovered, the person 
who distributed the copied data can be identified. 
[0006] In a conventional electronic watermark sys- 
tem, a server is assumed to be fully trustworthy. There- 
fore, if a server in a conventional system proves not to 
be trustworthy, and may engage in some sort of illegal 
activities, a user who has committed no crime may be 
accused of illegally copying data. 
[0007] This occurs because in a conventional elec- 
tronic watermark system, as is shown in Fig. 1 , when a 
server embeds user information dl for identifying a user 
(user U in Fig. 1 ) in digital data g (in the following expla- 
nation image data are employed as the digital data) dis- 
tributed to the user, and thereafter, without the permis- 
sion of the user makes a further distribution of the data 
containing the user's identification data and then accus- 
es the user of making illegal copies, there is no way the 
user can refute the accusation of the server, even 



though in this instance it is the server that is at fault. 
[0008] As a countermeasure, a system (Fig. 2) using 
a public key encryption method has been proposed, for 
example, in "Asymmetric Finger Printing", B. Pfitmmann 
5 and M Waidner, EUROCRYPT '96 (hereinafter referred 
to as reference 1). According to the public key encryp- 
tion method, an encryption key and a decryption key dif- 
fer, and the encryption key is used as a public key while 
the decryption key is used as a secret key. The RSA 
10 encryption and the EIGamal encryption are well known 
as typical examples for the public key encryption. 
[0009] An explanation will be given for (a) features of 
the public key encryption system and (b) protocols for 
secret communication and authenticated communtca- 
is tion. 



(a) Features of public key encryption 
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[0010] 



30 



(1) Since an encryption key and a decryption key 
differ, and the encryption key can be published, a 
secret delivery process is not required for the en- 
cryption key and it can be delivered easily. 

(2) Since the encryption keys of users are pub- 
lished, users need only provide for the secret stor- 
age of their decryption keys. 

(3) An authentication function can be provided with 
which a recipient can verify that the sender of a 
message is not perpetrating a fraud and that the re- 
ceived message has not been altered. 



(b) Protocols for public key encryption 



35 [0011] For example, when E (kp, M) denotes an en- 
cryption operation for a message M that uses a public 
encryption key kp, and D (ks, M) denotes a decryption 
operation for a message Ms that uses a secret decryp- 
tion key ks, the public key encryption algorithm satisfies 

40 the two following conditions. 

(1) The calculations for the encryption E (kp, M) can 
be performed easily using the encryption key kp that 
is provided, and the calculations for the decryption 

45 D (ks, M) can also be performed easily using the 
decryption key ks that is provided. 

(2) So long as a user does not know the decryption 
key ks, even if the user knows the encryption key 
kp and the calculation procedures for the encryption 

so E (kp, M), and that the encrypted message C = E 
(kp, M), the user can not ascertain the contents of 
the message M because a large number of calcu- 
lations are required. 

When, in addition to the conditions (1) and (2), 
55 the following condition (3) is established, the secret 
communication function can be implemented. 
(3) The encryption E (kp, M) can be defined for all 
the messages (plain text) M, and 
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D (ks. E (kp, M)) = M 

is established. That is, anyone can perform the cal- 
culations for the encryption E (kp, M) using the pub- s 
lie encryption key kp, but only a user who has the 
secret decryption key ks can perform the calcula- 
tions for the decryption D (ks, E (kp, M)) to obtain 
the message M. 

When : in addition to the above conditions (1) io 
and (2), the following condition (4) is established the 
authenticated communication function can be im- 
plemented. 

(4) The decryption D (ks, M) can be defined for all 
the messages (plain text) M, and 15 

E (kp, D (ks, M)) = M 

is established. That is, only a user who has the se- 20 
cret decryption key ks can calculate the decryption 
D (ks, M). Even if another user calculates D (ks\ M) 
using a bogus secret decryption key ks' and per- 
forms the calculations as would a user who has the 
secret decryption key ks, the result obtained is 25 

E (kp, D (ks', M) * M, 
and a recipient can understand that the received in- 30 



formation was illegally prepared. 

[0012] When the value D (ks : M) is altered, the result 
is 

35 

E (kp, D(ks, M) 1 ) * M, 

and a recipient can understand that the received infor- 
mation was illegally prepared. 40 
[001 3] In the above described encryption method, the 
operation E () : using the public encryption key (herein- 
after also referred to as a public key) kp, is called "en- 
cryption", and the operation D (), using the secret de- 
cryption key (hereinafter also referred to as a secret key) 45 
ks, is called "decryption". 

[001 4] Therefore, for a secret communication a send- 
er performs the encryption and a recipient performs the 
decryption, while for an authenticated communication, 
a sender performs the decryption and a recipient per- so 
forms the encryption. 

[0015] The protocols are shown for a secret commu- 
nication, an authenticated communication, and a secret 
communication with a signature performed by a sender 
A for a recipient B using the public key encryption sys- ss 
tern. 

[0016] The secret key of the sender A is ksA and the 
public key is kpA, and the secret key of the recipient B 



is ksB and the public key is kpB. 
Secret Communication 

[0017] The following procedures are performed for 
the secret transmission of a message (plain text) M from 
the sender A to the recipient B. 

[001 8] Step 1 : The sender A transmits to the recipient 
B a message C that is obtained by employing the public 
key kpB of the recipient B to encrypt the message M as 
follows: 

C = E (kpB, M). 

[0019] Step 2: To obtain the original plain language 
message M, the recipient B employs his or her secret 
key ksB to decrypt the received message C as follows: 

M= D (ksB, C). 

[0020] Since the public key kpB of the recipient B is 
openly available to an unspecified number of people, us- 
ers other than the sender A can also transmit secret 
communications to the recipient B. 

Authenticated Communication 

[0021] For the authenticated transmission of a mes- 
sage (plain text) M from the sender A to the recipient B ; 
the following procedures are performed. 
[0022] Step 1 : The sender A transmits to the recipient 
B a message S that he or-she created by employing his 
or her secret key as follows: 

S = D (ksA, M). 

[0023] This message S is called a signed message, 
and the operation for acquiring the signed message S 
is called "signing". 

[0024] Step 2: To convert the signed message S and 
obtain the original plain language message M, the re- 
cipient B employs the public key KpA of the sender A as 
follows: 

M = E (kpA, S). 

If the recipient B ascertains that the message M makes 
sense, he or she issues verification that the message M 
has been transmitted by the sender A. And since the 
public key kpA of the sender A is available to an unspec- 
ified number of persons, users other than the recipient 
B can also authenticate the signed message S from the 
sender A. This authentication is called "digital signing". 
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Secret Communication With Signature 



[0025] The following procedures are performed for 
the secret transmission to the recipient B by the sender 
A of a message (plain text) M for which a signature is 
provided. 

[0026] Step 1 : The sender A prepares a signed mes- 
sage S by employing his or her secret key ksA to sign 
the message M as follows: 

S = D (ksA, M). 

Furthermore, to obtain an encrypted message C that is 
thereafter transmitted to the recipient B, the sender A 
employs the public key kpB of the recipient B to encrypt 
the signed message S as follows: 

C = E (kpB, S). 

[0027] Step 2: To obtain the signed message S the 
recipient B employs his or her secret key ksB to decrypt 
the encrypted message C as follows: 

S = D (ksB, C). 

In addition, to obtain the original plain text message M, 
the recipient B employs the public key kpA of the sender 
A to convert the signed message S as follows: 

M = E (kpA, S). 

When the recipient has ascertained that the message 
M makes sense, he or she verifies that the message M 
was transmitted by the sender A. 
[0028] For a secret communication for which a signa- 
ture has been provided, the order in which the calculat- 
ing functions are performed at the individual steps may 
be inverted. In other words, in the above procedures, 

Step 1: C = E (kpB, D (ksA, M)) 



Step 2: M = E (kpA, D (ksB, C)) 

are calculated in this order. However, for calculations 
performed for such a secret communication, the follow- 
ing order may be employed: 

Step 1 : C = D (ksA, E (kpB, M)) 
Step 2: M = D (ksB, E (kpA, C)). 



[0029] An explanation will now be given for the oper- 
ating procedures for a conventional electronic water- 
mark system employing the above described public key 
encryption method. 

5 

1 ) First, a contract d2 concerning the trading of im- 
age data g is prepared by a server and a user. 

2) Next, the user generates a random number ID to 
identify himself or herself, and employs this ID to 

10 generate a one-way function f. The one-way func- 
tion is a function such that for-a function y = f(x), 
calculating y from x is easy but calculating x from y 
is difficult. For example, a unique factorization or a 
discrete logarithm for an integer having a number 

15 of digits is frequently employed as a one-way func- 
tion. 

3) Then, the user prepares the signature informa- 
tion d3 using his or her secret key ksU, and trans- 
mits it with the contract d2 and the one-way function 

20 f to the server. 

4) Following this, the server verifies the signature 
information d3 and the contract d2 using the public 
key kpU of the user. 

5) After the verification has been completed, the 
25 server embeds in the image data g a current data 

distribution record 64 and a random number ID pre- 
pared by the user and generates image data which 
includes an electronic watermark (g + d4 + ID). 

6) Finally, the server transmits to the user the image 
30 data that includes the electronic watermark (g + d4 

+ ID). 

[0030] When an illegal copy of data is found, embed- 
ded information is extracted from the illegal image data, 
35 and a specific user is identified using the ID included 
therein. At this time, a claim by the server that it did not 
distribute the illegal copy without permission is based 
on the following grounds. 

[0031] Since the ID specifically identifying a user is 
40 generated by the user, and since by using that ID the 
signature of the user is provided for the one-way func- 
tion f, the server can not generate such an ID for an ar- 
bitrary user. 

[0032] However, since a user who has officially con- 
45 eluded a contract with the server must transmit his or 
her ID to the server, only users who have not made con- 
tracts with the server can not be accused of committing 
a crime, whereas a user who has officially concluded a 
contract can be so accused. 
50 [0033] A system (Fig. 3) for neutralizing an accusation 
that a crime has been committed by a user who has of- 
ficially concluded a contract is proposed in "Electronic 
watermarking while taking server's illegal activity into 
account", Miura, Watanabe and Kasa (Nara Sentan Uni- 
versity), SC1S97-31C (hereinafter referred to as refer- 
ence 2). This system is implemented by dividing the 
server into an original image server and an embedding 
server. According to this system, the embedded elec- 
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tronic watermark is not destroyed during encryption and 
decryption. 

[0034] The operating procedures for the system in 
Fig. 3 will now be described. 

1 ) First, to obtain desired image data a user issues 
a request bearing his or her signature d5 to an orig- 
inal image server. 

2) The original image server employs the user's sig- 
nature d5 to verify the contents of the request, and 
subsequently encrypts the requested image data g 
and transmits the encrypted data to an embedding 
server. 

At this time, the original image server transmits 
to the embedding server a user name u accompa- 
nied by a signature for consignment contents d6. At 
the same time, the original image server also trans- 
mits to the user a decryption function V that is relat- 
ed to the encryption. 

3) The embedding server verifies the received en- 
crypted image data g 1 and the signature (u d6), 
employs the user name u and the consignment con- 
tents d6 to prepare and embed user information 67 
for specifically identifying a user, and thereby cre- 
ates encrypted data having an included electronic 
watermark (g' + d7). Then, the embedding server 
transmits to the user the encrypted image data (g' 
+ d7) that includes the electronic watermark. 

4) The user employs the decryption function f, 
which was received from the original image server, 
to decrypt the encrypted image data that includes 
an electronic watermark, (g' + d7), and to obtain the 
image data provided with the electronic watermark, 
(g + d7). 

[0035] When an illegal copy is found later, the original 
image server encrypts the illegal image data, and ex- 
tracts the embedded information and transmits it to the 
embedding server The embedding server specifically 
identifies a user from the embedded information. 
[0036] This system is based on the premise that, 
since the original image server does not embed in the 
image data g the user information d7 specifically iden- 
tifying a user, and since the embedding server does not 
know the decryption function f (can not retrieve the orig- 
inal image), the individual servers can not illegally dis- 
tribute to officially contracted servers image data in 
which is embedded the user information d7. 
[0037] However, neither the collusion of the original 
image server with the embedding server, nor the collu- 
sion of the embedding server with a user is taken into 
account in the system in Fig. 3. Since the embedding 
server holds the encrypted image data g' for the image 
data g, which are the original image data, and the user 
holds the decryption function f, when the original image 
server is in collusion with the embedding server, the 
servers, as in the system in Fig. 2, can perform an illegal 
activity. And when the embedding server is in collusion 



with the user, the original image can be illegally ob- 
tained. 

[0038] The original image server transmits the de- 
cryption function P to the user; however, if the user does 

s not provide adequate management control for the de- 
cryption function f\ the carelessness of the user will re- 
sult in the embedding server obtaining knowledge of the 
decryption function P, even though the embedding serv- 
er is not in collusion with the user. 

w [0039] Furthermore, in the system in Fig. 3 the original 
image sever does not include embedding information, 
nor can it correctly perform embedding. However, since 
the embedded information is extracted by the original 
image server, the original image server could correctly 

15 perform the embedding by analyzing the embedded in- 
formation. 

[0040] Since the embedding server does not embed 
its own signature, the embedded information and the 
corresponding user information are the only embedding 

20 server secrets. However, the correspondence engaged 
in by the embedded information, and the user informa- 
tion is not random correspondence involving the use of 
a database, and if the embedded information is pre- 
pared from the user information according to specific 

25 rules, there is a good probability that analyzation of the 
embedded information will be possible. 
[0041] In this case, as in the system in Fig. 2, the per- 
formance of an illegal activity is possible. 
[0042] Further, for the above described secret com- 

30 munication for which a signature is provided, a blind de- 
cryption method having the following features is em- 
ployed for the aforementioned decryption. 
[0043] In the following explanation, digital data, such 
as image data, are encrypted by A (assumed to be a 

35 server) using the public key encryption method, and the 
encrypted data G is obtained by B (assumed to be a 
user). 

[0044] A person who legally distributes digital data, 
such as image data, is called a server. 

40 

Features of Blind Decryption 
[0045] 

is 1 ) The contents of the data G are kept secret from 
third parties, persons other than the server and the 
user. 

2) The user obtains the data G, while disabling the 
ability of the server to forge or alter the data G in 

50 the protocol. 

3) The user decrypts the encrypted data G without 
notifying the server, and thus protects the privacy 
of the transaction. 

55 [0046] Blind decryption is used in order that, when a 
large amount of data encrypted by a server are stored 
on a CD-ROM, etc. , and are delivered to a user, the user 
can obtain desired data without the server being aware 
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of which data included on the CD-ROM have been de- 
crypted. As a result, the privacy of the user, such as in- 
formation concerning which data the user purchased, 
can be protected. 

[0047] The following blind decryption procedures are 
performed when the user pays the server a price for data 
that are purchased. The trading of data, such as soft- 
ware programs, can be implemented across a network 
or electronically, so as to initiate electronic commerce. 
[0048] A description of the blind procedures follows. 
[0049] The encryption systems of the server and of 
the user are denoted respectively by E1 () and E2 (), 
and the decryption systems of the server and the user 
are denoted respectively by D1 () and D2 (). Assume 
forthwith that for blind decryption the following equation 
is established by the encryption systems of the server 
and the user: 

E1 (E2 (G)) = E2 (E1 (G)). 20 



Blind Decryption Procedures 
[0050] 

1 ) The user employs the encryption key (public key) 
of the server to encrypt data G, and obtains the en- 
crypted message Cs. 

The encrypted message Cs is represented by 

Cs = E1 (G). 

2) The user encrypts the message Cs obtained at 
1) using the user's encryption key (public key), and 
transmits the encrypted message Csu to the server. 

The encrypted message Csu is represented by 

Csu = E2(Cs). 



[0051] When the RSA encryption system is employed 
for blind decryption, generally, assuming that respec- 
tively the public keys of the server and the user are e1 
and e2 and their secret keys are d1 and 62, blind de- 
cryption is performed as follows. 
[0052] The mod operation is not shown. 

Processing For Blind Decryption Using The RSA 
Encryption System 



[0053] 
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3) The server employs the server's decryption key 
(secret key) to decrypt the message Csu received 
from the user, and transmits the decrypted mes- 
sage Cu to the user. 45 
The decrypted message Cu is represented by 



Cu = D1 (Csu) = D1 (E2 (E1 (G))) = E2 (G). 

4) The user employs the user's decryption key (se- 
cret key) to decrypt the message Cu received from 
the server, and obtains data G. 
The data G is represented by 

G - D2 (E2 (G)). 
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1 ) The user encrypts the data G using the public key 
el of the server, and obtains the encrypted message 
Cs. 

The message Cs is represented by 
Cs = G e1 . 

2) The user employs the user's public key e2 to en- 
crypt the message Cs (= G e1 ) obtained at 1), and 
transmits the encrypted message Csu to the server. 

The message Csu is represented by 



Csu = (G e Y 2 . 



3) The server employs the server's public key el to 
decrypt the encrypted message Csu (= (G e1 ) e2 ) re- 
ceived from the user, and transits the decrypted 
message Cu to the user. 

The decrypted message Cu is represented by 

Cu = G e2 . 

4) The user employs the user's public key e2 to de- 
crypt the message Cu (= G e2 ) received from the 
server, and obtains the original data G (the final data 
for the user). 

[0054] Even when the above public key encryption 
system is employed, however the user who purchased 
digital data, such as image data, could obtain a benefit 
by making a copy of the data and illegally distributing 
the copy. 

[0055] Therefore, a method exists that is called "elec- 
tronic watermarking". According to the "electronic wa- 
termarking" method, a specific operation is performed 
for original digital data, such as image data, to embed 
in the digital data copyright information concerning the 
digital data, and user information (an electronic water- 
mark embedding process), so that when an illegal copy 
is found, the person who distributed the copy can be 
specifically identified. 

[0056] The employment of both the electronic water- 
marking technique and the public key encryption system 
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can protect the privacy of a user, and can also prevent 
the illegal distribution of data by a user. 
[0057] The conventional blind decryption technique, 
which is a system for decrypting data that are encrypted 
using the above described public key encryption sys- s 
tern, is effective as protocol for transmitting original dig- 
ital data (the data G) from a server to a user with the 
privacy of the user being protected. However the con- 
ventional blind decryption technique is not appropriate 
as a protocol for implementing the following features. 10 

1) The contents of the data G are kept secret from 
third parties, persons other than the server and the 
user 

2) The server performs a modification, such as an is 
electronic watermarking process, in accordance 
with the protocol and does not transmit the data G 

to the user unchanged. 

3) The protocol according to which a partner can 

not be accused of a crime is employed to prevent 20 
the illegal distribution of data by a server and a user 

[0058] An aspect of the present invention provides an 
electronic watermarking method whereby the above de- 
scribed illegal activities and the illegal distribution of the 25 
original data by a server and a usercan be prevented, 
and an electronic information distribution system there- 
for 

[0059] According to one aspect of the present inven- 
tion, an electronic watermarking method comprises a 30 
step of at least performing either an encryption process 
or a decryption process for data in which electronic wa- 
termark information is embedded. 
[0060] According to an another aspect of the present 
invention, an electronic watermark method comprises a 35 
step of embedding specific electronic watermark infor- 
mation in which different electronic watermark informa- 
tion has been embedded and that has already been en- 
crypted. 

[0061] The data in which different electronic water- 40 
mark information is to be embedded may be data that 
are encrypted in which specific electronic watermark in- 
formation has been embedded. 

[0062] Different electronic watermark information 
may be embedded in the data after the data have been 45 
encrypted using a different encryption method. 
[0063] According to an another aspect of the present 
invention, different information is embedded as elec- 
tronic watermark information in common data before 
and after encryption is performed for the common data. so 
[0064] According to an another aspect of the present 
invention, provided is an electronic watermark method, 
used for a network, that includes a plurality of entities 
whereof provided separately are an entity for embed- 
ding an electronic watermark in encrypted data that are 55 
exchanged by the plurality of entities, and an entity for 
performing an encryption process and a corresponding 
decryption process. 
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[0065] With the above arrangement, the encrypted 
data may be image data. 

[0066] According to an another aspect of the present 
invention, an electronic information distribution system, 
which exchanges digital information across a network 
system constituted by a plurality of entities, comprises 
a first entity for embedding electronic information for the 
digital data, and a second entity for performing an en- 
cryption process and a corresponding decryption proc- 
ess for the digital data. 

[0067] According to an another aspect of the present 
invention, provided is an electronic information distribu- 
tion system wherein, for the exchange of digital informa- 
tion between a first entity and a second entity in a net- 
work that includes a plurality of entities, the first entity 
receives encrypted information from the second entity 
embeds electronic watermark information in the en- 
crypted information and transmits the resultant informa- 
tion to the second entity, and the second entity performs 
a corresponding decryption process for the encrypted 
information received from the first entity. 
[0068] According to an another aspect of the present 
invention, provided is an electronic information distribu- 
tion system wherein, for the exchange of digital informa- 
tion by a first entity and a second entity across a network 
system constituted by a plurality of entities, the first en- 
tity embeds electronic watermark information in infor- 
mation and performs a first encryption process for the 
information, and transmits the resultant information to 
the second entity; wherein the second entity performs a 
second encryption process for the information received 
from the first entity and transits the resultant information 
to the first entity; wherein the first entity performs a first 
decryption process, corresponding to the first encryp- 
tion process, for the information received from the sec- 
ond entity, and embeds electronic watermark informa- 
tion in the resultant information and transmits the ob- 
tained information to the second entity; and wherein the 
second entity performs a second decryption process, 
corresponding to the second encryption process, for the 
information received from the first entity. 
[0069] The electronic watermark information embed- 
ded by the first entity may at the least include either in- 
formation concerning the second entity or information 
concerning digital data to be transmitted. 
[0070] Preferably, the first entity examines a signature 
of the second entity by using an anonymous public key 
having a certificate that is issued by an authentication 
center 

[0071] According to an another aspect of the present 
invention, provided is an image file apparatus, which 
stores, as image data, image information obtained by 
decrypting image information for which encryption has 
been performed, and electronic watermark information 
that is added to the image information while it is encrypt- 
ed and that is decrypted using the image information. 
[0072] Key information concerning the encryption 
may be stored separately from the image data. 
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[0073] According to an another aspect of the present 
invention, an entity for performing an encryption process 
and an electronic watermark embedding process em- 
beds an electronic watermark for information at least ei- 
ther before or after the information is encrypted. 
[0074] In this aspect of the present invention, the en- 
tity is an entity for receiving information. 
[0075] In this aspect of the present invention, the en- 
tity transmits, to an information provision entity, informa- 
tion that is encrypted in which an electronic watermark 
has been embedded. 

[0076] In this aspect of the present invention, the en- 
tity further transmits, to the information provision entity, 
a value that is obtained by transforming, using a one- 
way compression function, the information that is en- 
crypted in which an electronic watermark has been em- 
bedded. 

[0077] In this aspect of the present invention, the en- 
tity receives information that primarily is encrypted in ad- 
vance, and performs a secondary encryption process 
and an electronic watermark embedding process for the 
encrypted information. 

[0078] According to an another aspect of the present 
invention, an entity for receiving information embeds an 
electronic watermark in the information. 
[0079] In this aspect of the present invention, the en- 
tity transmits to an information provision entity the infor- 
mation in which the electronic watermark has been em- 
bedded. 

[0080] In this aspect of the present invention, the in- 
formation provision entity embeds in the information an 
electronic mark that differs from the electronic water- 
mark. 

[0081] In this aspect of the present invention, the in- 
formation is image information. 

[0082] According to an another aspect of the present 
invention, a one-way compression function is employed 
to examine the legality of at the least either an encryp- 
tion process or an electronic watermark embedding 
process. 

[0083] According to an another aspect of the present 
invention, provided is an electronic watermark method 
used for a network system that includes a plurality of 
entities, whereby, for the exchange of digital data by a 
first entity and a second entity at the least of the plurality 
of entities, the first entity embeds an electronic water- 
mark in the digital information before or after performing 
a first encryption process and transmits the resultant 
digital information to the second entity, and the second 
entity embeds an electronic watermark in the digital in- 
formation received from the first entity before or after a 
second encryption process. 

[0084] According to an another aspect of the present 
invention, provided is an electronic watermark method 
used for a network system that includes a plurality of 
entities, whereby, for the exchange of digital data by at 
least a first entity and a second entity of the plurality of 
entities, before a first encryption the first entity performs 



an electronic watermark embedding process for the dig- 
ital information and transmits the resultant digital infor- 
mation to the second entity; whereby, before a second 
encryption the second entity, without decrypting the dig- 

s ital information, performs an electronic watermark em- 
bedding process for the digital information received from 
the first entity; whereby the first entity performs a de- 
cryption process, corresponding to the first encryption, 
for the digital information received from the second en- 

10 tity and transmits the decrypted digital information to the 
second entity; and whereby the second entity performs 
a decryption process, corresponding to the second en- 
cryption, for the digital information received from the first 
entity. 

is [0085] In this aspect of the present invention, before 
performing the electronic watermark embedding proc- 
ess, the first entity uses an anonymous public key hav- 
ing a certificate that is issued by an authentication center 
to examine a signature included with the second entity. 

20 [0086] in this aspect of the present invention, the elec- 
tronic watermark embedding process performed by the 
first entity is a process for embedding information con- 
cerning the second entity. 

[0087] In this aspect of the present invention, the elec- 
ts tronic watermark embedding process performed by the 
first entity is a process for embedding information con- 
cerning digital information to be transmitted. 
[0088] In this aspect of the present invention, the elec- 
tronic watermark embedding process performed by the 
30 second entity is a process for embedding information 
that only the second entity is capable of creating. 
[0089] According to an another aspect of the present 
invention, provided is an electronic information distribu- 
tion system, which includes a plurality of entities and ex- 
35 changes information across a network, wherein at least 
one of the plurality of entities includes encryption means 
and electronic watermark embedding means, and 
wherein the electronic watermark embedding means 
performs an electronic watermark embedding process 
40 for information at least before or after the encryption 
means encrypts the information. 

[0090] According to an another aspect of the present 
invention, provided is an electronic information distribu- 
tion system, which includes a plurality of entities and ex- 
45 changes information across a network, wherein of the 
plurality of entities one entity for receiving information 
includes electronic watermark embedding means for 
performing an electronic watermark embedding process 
for received information. 
so [0091] According to an another aspect of the present 
invention, provided is an electronic information distribu- 
tion system, which includes a plurality of entities and ex- 
changes information across a network, wherein one of 
the plurality of entities includes encryption means and 
55 electronic watermark embedding means, and another 
entity includes means for employing a one-way com- 
pression function to examine at the least the legality ei- 
ther of an encryption process performed by the encryp- 
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tion means, or of an electronic watermark embedding 
process performed by the electronic watermark embed- 
ding means. 

[0092] According to an another aspect of the present 
invention, provided is an electronic information distribu- 
tion system which includes a plurality of entities and ex- 
changes information across a network, wherein the plu- 
rality of entities includes a first entity having first encryp- 
tion means and first electronic watermark embedding 
means, and a second entity having second encryption 
means and second electronic watermark embedding 
means; wherein the first electronic watermark embed- 
ding means performs at the least an electronic water- 
mark embedding process for digital information before 
or after the first encryption means encrypts the informa- 
tion; and wherein second electronic watermark embed- 
ding means performs at the least an electronic water- 
mark embedding process for the information received 
from the first entity before or after the second encryption 
means encrypts the digital information. 
[0093] According to an another aspect of the present 
invention, provided is an electronic information distribu- 
tion system, which includes a plurality of entities and ex- 
changes information across a network t wherein the plu- 
rality of entities includes at the least first and second 
entities for exchanging digital information: wherein the 
first entity includes first encryption means, first electron- 
ic watermark embedding means for performing an elec- 
tronic watermark embedding process for digital informa- 
tion before encryption is performed by the encryption 
means, and first decryption means for performing de- 
cryption, corresponding to the encryption performed by 
the first encryption means, of digital information re- 
ceived from the second entity: and wherein a second 
entity includes second encryption means, second elec- 
tronic watermark embedding means for, before encryp- 
tion is performed by the second encryption, performing 
an electronic watermark embedding process without de- 
crypting the digital information received from the first en- 
tity, and second decryption means for performing de- 
cryption, corresponding to the encryption performed by 
the second encryption means, of the digital information 
received from the first entity. 

[0094] In this aspect of the present invention, before 
performing the electronic watermark embedding proc- 
ess, the first entity uses an anonymous public key hav- 
ing a certificate that is issued by an authentication center 
to examine a signature included with the second entity. 
[0095] In this aspect of the present invention, the first 
electronic watermark embedding process is a process 
for embedding information concerning the second enti- 
ty. 

[0096] In this aspect of the present invention, the first 
electronic watermark embedding means embeds infor- 
mation concerning digital information to be transmitted. 
[0097] In this aspect of the present invention, the sec- 
ond electronic watermark embedding means embeds 
information that only the second entity is capable of cre- 



ating. 

[0098] According to an another aspect of the present 
invention, provided is an image file apparatus for storing 
image information with electronic watermark informa- 

5 tion and information for examining the legality of the 
electronic watermark information. 
[0099] In this aspect of the present invention, informa- 
tion for examining the legality constitutes a one-way 
compression function. 

10 [0100] In this aspect of the present invention, the elec- 
tronic watermark information is information that is en- 
crypted with the image information, and that is decrypt- 
ed with the image information. 

[01 01] In this aspect of the present invention, the one- 
75 way compression function is used to transform the en- 
crypted image information and the electronic watermark 
information. 

[0102] According to an another aspect of the present 
invention, an electronic watermark system for embed- 
20 ding electronic watermark information comprises: 

means, or an entity, for examining the legality of ei- 
ther an encryption process or of an electronic wa- 
termark embedding process at the least: and 
25 means, or an entity, provided separately from said 
examining means or unit, for performing the encryp- 
tion process and the electronic watermark embed- 
ding process. 

30 [0103] The means for examining the legality may be 
provided for a third entity, which is provided separately 
from a first entity that includes means for performing the 
encryption process and the electronic watermark em- 
bedding process for information, and a second entity, 
55 for receiving from the first entity encrypted information 
in which an electronic watermark has been embedded. 
[0104] The first entity may be provided at an informa- 
tion reception side, and may transmit the encrypted in- 
formation in which the electronic watermark has been 
40 embedded to the second entity at an information provi- 
sion side. 

[0105] The first entity may employ a one-way com- 
pression function to transform the encrypted information 
in which an electronic watermark has been embedded, 
45 and to output the obtained value together with the en- 
crypted information in which the electronic watermark 
has been embedded. 

[0106] The first entity may transmit to the third entity 
a value obtained by transformation using the one-way 
so compression function. 

[0107] The third entity may be capable of performing 
a decryption process corresponding to the encryption 
process. 

[01 08] The first entity may receive primarily encrypted 
55 information in advance, and may perform a secondary 
encryption process and an electronic watermark em- 
bedding process for the primarily encrypted information. 
[01 09] According to an another aspect of the present 
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invention, provided is an electronic watermark system 
for embedding an electronic watermark, wherein an en- 
tity for managing an encryption key includes means for 
examining the legality of electronic watermark informa- 
tion. 

[01 10] In order to examine the legality of the electronic 
watermark and the encryption process, the entity may 
decrypt encrypted information in which an electronic wa- 
termark has been embedded and that is output by a dif- 
ferent entity. 

[0111] In addition, in order to examine the legality of 
the electronic watermark and the encryption process, 
the entity may compare a value that is obtained by using 
a one-way compression function to transform the en- 
crypted information in which the electronic watermark is 
embedded and that is output by the different entity with 
a value that is output by the different entity. 
[0112] According to an another aspect of the present 
invention, an electronic information distribution system, 
for exchanging digital information across a network con- 
stituted by a plurality of entities, comprises an entity for 
performing at least an encryption process and an elec- 
tronic watermark embedding process for the digital in- 
formation, and an entity for at the least examining the 
legality of either the encryption process or the electronic 
watermark embedding process. 

[0113] The entity for examining the legality may be an 
entity for managing an encryption key. 
[01 1 4] According to an another aspect of the present 
invention, for the exchange of digital information by a 
first entity and a second entity in a network constituted 
by a plurality of entities, the first entity at the least em- 
beds electronic watermark information in the digital in- 
formation either before or after a first encryption proc- 
ess, and transmits the obtained digital information to the 
second entity. At the least, either before or after a sec- 
ond encryption process the second entity embeds elec- 
tronic watermark information in the digital information 
received from the first entity, and transmits the obtained 
digital information to a third entity. The third entity ex- 
amines the legality of the electronic watermark informa- 
tion that has been embedded, and notifies the first entity 
of the result of the examination. 

[0115] According to an another aspect of the present 
invention, for the exchange of digital information by a 
first entity and a second entity in a network constituted 
by a plurality of entities, the first entity embeds electronic 
watermark information in the digital information before 
a first encryption process, and transmits the obtained 
information to the second entity. Before a second en- 
cryption process, the second entity embeds electronic 
watermark information in the information received from 
the first entity, and transmits the obtained information to 
a third entity. The third entity examines the legality of the 
electronic watermark information that is embedded, and 
transmits the result and the information received from 
the second entity to the first entity. The first entity per- 
forms a decryption process, corresponding to the first 



encryption process, for the information received from 
the second entity, and transmits to the second entity the 
thus obtained first decrypted information. Thereafter, 
the second entity performs a second decryption proc- 
s ess, corresponding to the second encryption process, 
for the first decrypted information received from the first 
entity. 

[0116] The electronic watermark information embed- 
ded by the first entity may include information concern- 

10 ing the second entity. 

[0117] The electronic watermark information embed- 
ded by the first entity may include information concern- 
ing digital information to be transmitted. 
[0118] The electronic watermark information embed- 

1$ ded by the second entity may be information that only 
the second entity is capable of creating. 
[0119] In this aspect of the present invention, before 
embedding the electronic watermark, the first entity ex- 
amines a signature of the second entity by using an 

20 anonymous public key having a certificate that is issued 
by an authentication center. 

[0120] According to an another aspect of the present 
invention, provided is an image file apparatus for stor- 
ing, in addition to image information to which electronic 
25 watermark information has been added, key information 
for encrypting the image information, and a one-way 
compression function for transforming the image infor- 
mation. 

[0121] The electronic watermark information may be 
30 information that is encrypted together with the image in- 
formation and is decrypted together with the image in- 
formation. 

[0122] According to an another aspect of the present 
invention, a cryptography method comprises the steps 
35 of: 



calculating second data using first data encrypted 
by a public key encryption method; and 
decrypting third data that is obtained by said calcu- 
lation step, in order to accomplish the decryption of 
the first data and the signing of the second data. 



40 



[01 23] In this aspect of the present invention, the first 
data are encrypted image data, and image data in which 

45 an electronic watermark has been embedded are ob- 
tained by decrypting the third data. 
[0124] In this aspect of the present invention, the first 
data are data obtained by the secondary encryption, us- 
ing the public key encryption method, of primary en- 

50 crypted information. 

[0125] According to an another aspect of the present 
invention, provided is a cryptography method used for 
a network that includes a plurality of entities, whereby 
for the exchange of digital information, at least by a first 

55 entity and a second entity of the plurality of entities, the 
first entity calculates second data using first data, which 
is encrypted using a public key belonging to the second 
entity, and transmits the third data that is obtained to the 
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second entity; and whereby the second entity employs 
a self owned-secret key to decrypt the third data re- 
ceived from the first entity, and implements the decryp- 
tion of the first data and the signing of the second data. 
[01 26] According to an another aspect of the present $ 
invention, provided is a cryptography method for a net- 
work that includes a plurality of entities, whereby for the 
exchange of digital information, at least between a first 
entity and a second entity of the plurality of entities, the 
second entity employs a self-owned public key for en- 
crypting the first data that have been encrypted using a 
public key belonging to the first entity, and transmits the 
resultant first data to the first entity; the first entity em- 
ploys a self-owned secret key to decrypt the first data 
received from the second entity, performs calculations 
with second data using the decrypted first data to obtain 
third data, and transmits the third data to the second 
entity; and the second entity employs a self-owned se- 
cret key to decrypt the third data received from the first 
entity, and implements the decryption of the first data 
and the signing of the second data. 
[0127] In this aspect of the present invention, the first 
entity provides information, and the second entity re- 
ceives information. 

[01 28] In this aspect of the present invention, cryptog- 
raphy is performed using a public key method for which 
RSA cryptography is employed. 

[0129] According to an another aspect of the present 
invention, provided is an electronic information distribu- 
tion system, which includes a plurality of entities and ex- 
changes digital information across a network, wherein 
the plurality of entities includes at least a first and a sec- 
ond entity for exchanging digital information: wherein 
the first entity includes calculation means for performing 
calculations with second data using the first data that 
are encrypted by employing a public key belonging to 
the second entity, and for obtaining third data; and 
wherein the second entity includes decryption means for 
using a self-owned secret key to decrypt the third data 
received from the first entity. 

[01 30] According to an another aspect of the present 
invention, provided is an electronic information distribu- 
tion system, which includes a plurality of entities and ex- 
changes digital information across a network, wherein 
the plurality of entities include at least a first and a sec- 
ond entity for exchanging digital information: wherein 
the first entity includes first encryption means for en- 
crypting first data using a self-owned public key, first de- 
cryption means for using a self-owned secret key to de- 
crypt first data received from the second entity, and cal- 
culation means that, to obtain third data, performs cal- 
culations with second data using the first data decrypted 
by the first decryption means: and wherein the second 
entity includes second encryption means for using a 
self-owned public key to encrypt the first data that are 
encrypted by the first encryption means of the first entity, 
and second decryption means for using a self-owned 
secret key to decrypt the third data received from the 



first entity. 

[0131] In this aspect of the present invention, a public 
key cryptography method using RSA cryptography is 
employed. 

[0132] In this aspect of the present invention, the first 
entity supplies information and the second entity re- 
ceives information. 

[01 33] In this aspect of the present invention, the first 
data are image data and the second data are electronic 
watermark information. 

[01 34] Embodiments of the present invention will now 
be described with reference to the accompanying draw- 
ings, in which: 

Fig. 1 is a diagram for explaining a conventional 
electronic watermark system; J 
Fig. 2 is a diagram for explaining a conventional 
electronic watermark system obtained by improving 
the method in Fig. 1; 

Fig. 3 is a diagram for explaining a conventional 
electronic watermark system obtained by improving 
the method in Fig. 2; 

Fig. 4 is a diagram for explaining an electronic wa- 
termark system according to a first embodiment of 
the present invention; 

Fig. 5 is a diagram for explaining an electronic wa- 
termark system according to a second embodiment 
of the present invention; 

Fig. 6 is a diagram showing a general image format: 
Fig. 7 is a diagram showing an example file format; 
Fig. 8 is a diagram showing another example file 
format; 

Fig. 9 is a diagram showing attribute information 
stored in an Image Content Property Set area of the 
file format; 

Fig. 10 is a diagram showing an example image file 
constituted by a plurality of images having different 
resolutions; 

Fig. 11 is a diagram showing the division into tiles 
of an image having different resolution layers; 
Fig. 1 2 is a table showing attribute information con- 
cerning image data obtained by tile division; 
Fig. 13 is a block diagram illustrating the arrange- 
ment of an electronic information distribution sys- 
tem according to a third embodiment of the present 
invention: 

Fig. 14 is a block diagram illustrating the arrange- 
ment of an electronic information distribution sys- 
tem according to a fourth embodiment of the 
present invention; 

Fig. 1 5 is a diagram for explaining an electronic wa- 
termark system according to a fifth embodiment of 
the present invention; 

Fig. 1 6 is a diagram for explaining an electronic wa- 
termark system according to a sixth embodiment of 
the present invention: 

Fig. 17 is a block diagram illustrating the arrange- 
ment of an electronic information distribution sys- 
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tern according to a seventh embodiment of the 
present invention; 

Fig. 1 8 is a diagram for explaining the implementa- 
tion of the protocol for the above system when RSA 
cryptography is used; 

Fig. 19 is a block diagram illustrating an electronic 
information distribution system according to an 
eighth embodiment of the present invention; and 
Fig. 20 is a diagram for explaining the implementa- 
tion of the protocol for the above system when RSA 
cryptography is used. 

[01 35] A first embodiment of the present invention will 
now be described while referring to Fig. 4. 
[0136] An electronic watermark method according to 
one embodiment of the present invention is performed 
by a system 1 00 shown in Fig. 4 for which an electronic 
information distribution system according to an embod- 
iment of the present invention is applied. 
[0137] The. system 100 is a network, constituted by 
multiple entities (not shown), that includes a terminal 1 0 
at the server side (a server terminal), a terminal 20 at 
the user side (a user terminal), and a terminal 30 at the 
verification office side (a verification office). The individ- 
ual entities exchange digital data across the network. 
[0138] The server terminal 10 comprises: a contract 
confirmation unit 11, for receiving data from the user ter- 
minal 20; a first electronic watermark embedding unit 
12, for receiving, for example, image data (digital data): 
a primary encryption unit 13, for receiving the output of 
the first electronic watermark embedding unit 12: a pri- 
mary decryption unit 1 4, for receiving data from the user 
terminal 20; a second electronic watermark embedding 
unit 1 5, for receiving data from the user terminal 20 and 
output from the primary decryption-unit 14: and a hash 
generator 1 6 for receiving the output of the second elec- 
tronic watermark embedding unit 15. The outputs of the 
primary encryption unit 13 and the hash generator 16 
are transmitted to the user terminal 20, and the output 
of the second electronic watermark embedding unit 15 
is transmitted both to the hash generator 16 and to the 
user terminal 20. 

[0139] The user terminal 20 comprises: a contract 
generator 21 , for transmitting data to the contract con- 
firmation unit 11 of the server terminal 10: a signature 
generator 22: a secondary encryption unit 24, for receiv- 
ing data from the primary encryption unit 1 3 of the server 
terminal 10; a secondary decryption unit 25, for receiv- 
ing data from the primary decryption unit 14 and from 
the electronic watermark embedding unit 1 5 of the serv- 
er terminal 10; and a hash confirmation unit 27, for re- 
ceiving data from the second electronic watermark em- 
bedding unit 1 5 and the hash generator 1 6 of the server 
terminal 10. The data produced by the secondary de- 
cryption unit 25 are output as image data for which an 
electronic watermark is provided. The data produced by 
the secondary encryption unit 24 are transmitted to the 
primary decryption unit 1 4 of the server terminal 1 0, and 
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the data produced by the signature generator 23 are out- 
put to the secondary electronic watermark embedding 
unit 15 of the server terminal 10. 
[0140] In the above system 100, information concern- 
ing the primary encryption process, such as the method 
used and a secret key, is only that which is available to 
the server, and information concerning the secondary 
encryption process is only that which is available to the 
user. It should be noted that a property both of the pri- 
mary encryption process and the secondary encryption 
process is that regardless of whichever encryption proc- 
ess is performed first, a message can be deciphered by 
the decryption process. 

[0141] Hereinafter, the encryption process is repre- 
sented by "EiQ", the decryption process is represented 
by "Di( )" and the embedding process concerning an 
electronic watermark is represented by "+". 
[0142] The processing performed by the thus ar- 
ranged system 100 will now be explained. First, the em- 
bedding process for an electronic watermark will be ex- 
plained. Embedding Process 

1) First, to obtain desired image data G, the user 
terminal 20 issues to the server terminal 10 a re- 
quest bearing the user's signature. The requested 
data is information (user's signature information) 
that is generated by the contract generator 21 and 
that is hereinafter called contract information. 

2) The contract confirmation unit 11 in the server 
terminal 10 employs the user's signature to verify 
the received contract information, and then uses the 
contract information to prepare user information U. 
The first electronic watermark embedding unit 12 
embeds, in the requested image data G, the user 
information U prepared by the contract confirmation 
unit 1 1 . The first encryption unit 1 3 performs the pri- 
mary encryption process E1 () for the image data(G 
+ U) using the user information U that is embedded, 
and transmits the obtained data to the user terminal 
20. In this fashion, the user terminal 20 receives the 
primary encrypted image data E1(G + U). 

3) The secondary encryption unit 24 of the user ter- 
minal 20 performs the secondary encryption of the 
primary encrypted image data E1(G + U) that have 
been received from the server terminal 10, and 
transmits the obtained secondary encrypted image 
data E2(E1 (G + U)) to the server terminal 1 0. At this 
time, the user acquires his or her secret key from 
the signature generator 22, and prepares signature 
information S and transmits it to the server terminal 
10. 

4) The primary decryption unit 14 in the server ter- 
minal 1 0 decrypts the primary encrypted data of the 
secondary encrypted image data E2(E1 (G + U)) re- 
ceived from the user terminal 210. The second elec- 
tronic watermark embedding unit 15 confirms the 
signature information S received from the user ter- 
minal 20. embeds the signature information S in the 
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image data E2(G + U) generated by the primary de- 
cryption unit 14, and transmits the obtained data to 
the user terminal 20. The hash generator 1 6 gener- 
ates a hash value H1 for the data E2(G + U) + S 
that is to be transmitted to the user terminal 20, 
signs it, and, along with the data E2(G + U) + S, 
transmits the obtained hash value H1 to the user 
terminal 20. As a result, the user terminal 20 re- 
ceives the data E2(G + U) + S, the hash value HI, 
and its signature. 

The hash value is a value obtained by calculat- 
ing the hash function h(), and the hash function is 
a compression function that seldom causes a colli- 
sion. A collision in this case would mean that for the 
different values x1 and x2 t h(x1) = h(x2). The com- 
pression function is a function for converting a bit 
string having a specific bit length into a bit string 
having a different bit length. Therefore, the hash 
function is a function h() by which a bit string having 
a specific bit length is converted into a bit string hav- 
ing a different bit length, and for which values xl and 
x2 that satisfy h(x1) = h(x2) seldom exist. Since a 
value x that satisfies y = h(x) is not easily obtained 
from an arbitrary value y, accordingly, the hash func- 
tion is a one-way function. Specific examples forthe 
hash function are an MD (Message Digest) 5 or an 
SHA (Secure Hash Algorithm). 
5) Next, the hash confirmation unit 27 in the user 
terminal 20 confirms the hash H1 and its signature 
transmitted from the server terminal 10 to confirm 
that the hash value H1 matches a hash value gen- 
erated from the data E2(G + U) + S. After this con- 
firmation, the data E2(G + U) + S, thea hash value 
H1 and its signature are stored. 

[0143] Then, the secondary decryption unit 25 de- 
crypts the secondary encrypted data E2(G + U) + S 
transmitted from the server terminal 1 0 to extract image 
daga Gw to which the electronic watermark is added. 
Therefore, the electronic watermark-added image data 
Gw is represented as Gw = G + U + D2(S). This repre- 
sents that the user informaiton U and the signature in- 
formation S influenced by the secondary cipher are em- 
bedded as watermark information in the original image 
data G. 

[0144] As is described above, according to the elec- 
tronic watermark method of the present invention, since 
the server performs the embedding of electronic water- 
mark information, basically, the user can not perform an 
illegal activity. The server receives the signature infor- 
mation. S directly from the user and embeds it in the data 
as electronic watermark information; however, since the 
signature information D2(S) that is obtained by the user 
in the conversion procedure in 5) of the embedding proc- 
ess is affected by the secondary encryption process that 
is known only by the user, the server can not embed the 
signature information D2(S) directly in original image 
and then lay the blame for the crime on the user. 
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[0145] When an illegal copy (an illegal image) is 
found, the following verification process is performed to 
identity an unauthorized person. It should be noted that, 
as in the above references 1 and 2, the image data are 
s not affected by the modification or the deletion of elec- 
tronic information. 

Verification Process 

10 [0146] 

1) First, the server terminal 10 extracts user infor- 
mation U' from the illegal image Gw' = G + U' + D2 
(S') that was found. 
'5 2) The server terminal 10 transmits to the verifica- 
tion office 30 the illegal image Gw' and the extracted 
user information U\ and requests that an examina- 
tion of the user be made. 

3) The verification office 30 requests that the user 
20 submit to it the secondary encryption key that the 
user has saved, and to extract the signature infor- 
mation S\ uses the submitted encryption key to per- 
form a secondary encryption process for the illegal 
image Gw'. 

25 4) When the correct signature information (S' = S) 
is extracted, the verification office 30 determines 
that an illegal activity has been performed the user. 

5) When the correct signature information can not - 
be extracted, the verification office 30 requests that 

30 the user submit the data E2(G + U) + S, its hash 
value H1 and its signature, all of which are trans- 
mitted by the server terminal 1 0 to the user terminal 
20, verifies the hash value H1 and the signature, 
and confirms that the hash value H1 matches a 

35 hash value generated for the data E2(G + U) + S. 

After making this confirmation, according to the pro- 
cedure 3) in the verification process, the verification 
office 30 decrypts the data E2(G + U) + S using the 
secondary encryption key that is submitted by the 

*o user, and extracts image data Gw having an elec- 
tronic watermark. 

6) When the verification office 30 can not extract 
correct image data Gw using an electronic water- 
mark, the office 30 ascertains that an illegal activity 

4 5 has been performed by the user. This means that 

the secondary encryption key submitted at the pro- 
cedure step 3) of the verification process is not cor- 
rect. 

7) When correct image data having an electronic 
so watermark is extracted, the verification office 30 de- 
termines ascertains that an illegal activity has been 
performed by the server. 

[0147] As is apparent from the above verification 
55 process, the terminal of the verification office 30 can per- 
form the same functions as does the secondary encryp- 
tion unit 24, the secondary decryption unit 25, and the 
hash confirmation unit 27 of the user terminal 20. 
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[0148] As is described above, according to the first 
embodiment, since the advantages accruing to a server 
and to a user conflict, collusion between the two does 
not occur. Therefore, since if the user does not embed 
correct signature information this fact can be detected 
from the reproduced image during the verification proc- 
ess, the user can not perform an illegal activity. And fur- 
ther, since during the embedding process the signature 
information affected by the secondary encryption at the 
user side is not available to the server, the server can 
also not perform an illegal activity. And finally, until an 
illegal image is discovered there is no need for the ver- 
ification office, as until an illegal image is discovered the 
fact that an illegal activity has been performed can not 
be established. 

[0149] If the procedures for the above verification 
process are well known, and if both a user and a server 
are aware of the results that can be provided by the proc- 
ess, an illegal activity performed by the user or by the 
server can be detected even if a verification office is not 
provided. 

[0150] Next, a second embodiment of the present in- 
vention will be explained hereinafter. 
[0151] Recently, the transfer of money across net- 
works, a fund transfer procedure that is called electronic 
cash, has come to be employed. Since as with a regular 
cash payment, the name of the owner of an electronic 
cash transfer is not identified, anonymity is attained. If 
the attainment of anonymity were not possible, a seller 
of a product could obtain from an electronic cash trans- 
fer information concerning a purchaser and the use of 
its product, and the privacy of a user would not be pro- 
tected. Therefore, the protection of the privacy of a user 
is as important as is the protection of a copyright for a 
creator who uses an electronic watermark. 
[0152] In the second embodiment, therefore, the an- 
onymity of a user is provided for a purchase, and when 
an illegality, such as illegal distribution of images, is 
found, it is possible to identify an unauthorized distribu- 
tor, which is the original purpose of an electronic water- 
mark. This is achieved by, for example, a system 200 
shown in Fig. 5. 

[0153] The system 200 has the same structure as the 
system 100 according to the first embodiment, with an 
anonymous public key certificate that is issued by a ver- 
ification office 40 being provided for a user terminal 20. 
[0154] Generally, in order to authenticate signature in- 
formation, a certificate issued by an organization called 
a verification office is added to a public key that is used 
for examining the signature information. 
[0155] The verification office is an organization that 
issues certificates for public keys belonging to users in 
order to provide authentication for public keys in accord- 
ance with the public key encryption system. That is, the 
verification office employs a secret key it owns to pro- 
vide a signature for the public key of a user or for data 
concerning the user, and for this purpose prepares and 
issues a certificate. When a user receives from another 



user a signature that is accompanied by a certificate, 
the user examines the certificate using the public key of 
the verification office to verify the authentication provid- 
ed by the user who transmitted the public key (at least 
5 the fact that authentication has been provided the user 
by the verification office). Both VeriSign and CyberTrust 
are well known organizations that operate such verifica- 
tion offices. 

[0156] When at procedure 2) of the embedding proc- 
10 ess in the first embodiment a server examines a signa- 
ture to verify the contract information for a user, the serv- 
er can employ the public key with a signature issued by 
the verification office 40 in Fig. 5. However, since the 
name of the owner of the public key is generally written 
is in the certificate, user anonymity is not provided at the 
time data are purchased. 

[0157] On the other hand, if the verification office 40 
keeps secret the correspondence of public keys and 
their owners, the name of an owner may not be written 

20 in the certificate for a public key. An anonymous certifi- 
cate for a public key is hereinafter called an "anonymous 
public key certificate", and a public key for which such 
a certificate is provided is called an "anonymous public 
key with a certificate". In procedure 1 ) of the above de- 

25 scribed embedding process, when the user terminal 20 
transmits to the server terminal 10 not only contract in- 
formation but also the anonymous public key with a cer- 
tificate so that the contract information for the signature 
and the signature information S can be examined, the 

30 user can remain anonymous when purchasing digital 
data. 

[0158] The server terminal 10 receives the anony- 
mous public key with the certificate as information to be 
used for identifying a user. When an illegal copy is found, 

35 the server terminal 10 submits the anonymous public 
key with the certificate to the verification office 40 and 
in turn obtains the name of the user to whom the public 
key corresponds, so that the user can be identified. Con- 
sequently, the procedures 1) and 2) of the embedding 

40 process and the procedures 1 ) and 2) of the verification 
process in the first embodiment are modified as follows 
in order both to provide anonymity for a user when pur- 
chasing digital data and to identify an unauthorized user 
when the performance of an illegal activity is discovered. 

45 [0159] The embedding process and the verification 
process performed by the system 200 in Fig. 5 will be 
specifically explained. 

[0160] As the same reference numerals as are used 
for the system 1 00 in Fig. 4 are also employed to denote 

50 corresponding or identical components in the system 
200 in Fig. 5, no specific explanation will be given for 
components other than those for whom different refer- 
ence numerals are allocated. And since the processing 
in the second embodiment is the same as that in the first 

55 embodiment, except for procedures 1 ) and 2) of the em- 
bedding process and procedures 1) and 2) of the verifi- 
cation process, no detailed explanation of the process- 
ing will be given. 
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Embedding Process 
[0161] 

1 ) First, in the user terminal 20, a contract generator 
21 provides, for contract information for requesting 
desired image data, a signature that corresponds 
to an anonymous public key with a certificate issued 
by a verification office 40, and together with the 
anonymous public key with the certificate, transmits 
the contract information to the server terminal 10. 

2) In the server terminal 10, a contract confirmation 
unit 11 uses the public key of the verification office 
40 to examine the public key of the user following 
which it verifies the signature provided for the con- 
tract information using the anonymous public key of 
the user and prepares user information U by the 
use : at the least, of either the contract information 
or the anonymous public key with the certificate. A 
first electronic watermark embedding unit 12 em- 
beds, in requested image data G, the user informa- 
tion U that is prepared by the contract confirmation 
unit 11. A primary encryption unit 13 performs the 
primary encryption process E1() for the resultant 
image data G : and transmits the obtained data to 
the user terminal 20. In this manner the user termi- 
nal 20 receives primary encrypted image data E1 
(G +U). 

[01 62] Hereinafter, the procedures 3) to 5) of the em- 
bedding process in the first embodiment are performed. 

Verification Process 

[0163] 

1 ) The server terminal 10 extracts user information 
U' from an illegal image Gw' that is discovered, and 
submits to the verification office 40 the extracted us- 
er information U' and an anonymous public key, 
which is obtained from the contract information, to 
acquire the name of a user who corresponds to the 
anonymous public key. 

2) The server terminal 1 0 submits to the verification 
office 40 the illegal image Gw\ the extracted user 
information U' and the name of the user, and re- 
quests that a verification process be performed for 
the user. 

[0164] Then, the procedures 3) to 7) of the verification 
process in the first embodiment are performed. 
[0165] As is described above, according to the 
present invention, the user can remain anonymous, 
even so far as the verification office is concerned, when 
purchasing digital data. 

[0166] Various data, to include image data in the first 
and the second embodiment and a hash value obtained 
during the embedding process for an electronic water- 



mark, can be stored in the following image format. Ac- 
cording to the following genera! image format, for exam- 
ple, image data that are transmitted at individual steps 
can be stored in an image data portion, and a corre- 

5 sponding hash value and its signature can be stored in 
an image header portion. Furthermore, a hash value 
and its signature, which the user must retain, and the 
secondary encryption key can be stored in the image 
header portion, while image data havincpan electronic 

10 watermark can be stored in the image data portion. 
[0167] According to the following file format, the gen- 
eral image format, which includes the hash value and 
the signature, can be stored as data in each layer. And 
the hash value and the signature may be stored as at- 

15 tribute information in a property set. 

[0168] The general image format will now be ex- 
plained. 

[0169] According to the general image format, an im- 
age file is divided into an image header portion and an 

20 image data portion, as is shown in Fig. 6. 

[0170] Generally, in the image header portion are 
stored information required for reading image data from 
an image file, and additional information for explaining 
the contents of an image. In the example in Fig. 6 are 

25 stored an image format identifier describing the name 
of an image format, a file size, the width, height and 
depth of an image, information as to whether data are 
compressed or not, a resolution, an offset to an image 
data storage location, the size of a color palette, etc. 

30 image data are sequentially stored in the image data 
portion. Typical examples of such image formats are the 
BMP format of Microsoft and the GIF format of Com- 
puserve. 

[0171] Another file format will now be explained. 

35 [0172] According to the following file format, attribute 
information stored in the image header portion and the 
image data stored in the image data portion are rear- 
ranged more as a structure and are stored in the file. 
The structured image file is shown in Figs. 7 and 8. 

40 [0173] The individual properties and data in the file 
are accessed as storage and streams that correspond 
to the directories and files of MS-DOS. In Figs. 7 and 8, 
the shaded portions are storage and the unshaded por- 
tions are streams. Image data and image attribute infor- 

^5 mation are stored in the streams. 

[0174] In Fig. 7, the image data are arranged hierar- 
chically in accordance with different resolutions, with an 
image at each resolution being called a Subimage and 
being represented by a Resolution 0, 1 , . . ., or n. For an 

50 image at each resolution, the information that is required 
for the reading of the image data is stored in a Subimage 
Header area, and the image data are stored in a Subim- 
age data area. 

[0175] The property sets, which are composed of at- 
55 tribute information that is defined by sorting it in conso- 
nance with the purpose for which it is used and its con- 
tents, comprise Summary Info. Property Sets, Image In- 
fo. Property Sets, Image Content Property Sets and Ex- 
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tension List Property Sets. 
Explanation for Each Property Set 

[0176] A Summary Info. Property Set is not an inner- $ 
ent part of this file format, but is required for structured 
storage for Microsoft for storing the tile of a file, the 
name, the author, and the thumb-nail image. 
[0177] General information concerning a storage unit 
(Storage) is stored in the Com Obj. Stream. 1C 
[0178] An Image Content Property Set is an attribute 
for describing a storage method for image data (see Fig. 
9). For this attribute there are provided the number of 
layers of image data, the width and height of an image 
at the maximum resolution, the width, the height and the 
color of an image at each resolution, and the definition 
of a quantization table or a Huffman table used for JPEG 
compression. 

[0179] An Extension List Property Set is an area used 
to add information that is not included in the basic spec- ^ 
ification of the above file format. 

[0180] In an ICC Profile area is described an ICC (In- 
ternational Color Consortium) specified conversion pro- 
file for color spatial conversion. 

[0181] In an Image Info. Property Set are stored var- 2. 
ious types of information that can be utilized to employ 
image data, for example, the following types of informa- 
tion that describe how an image is fetched and how it 
can be used: 

3 

* information concerning a fetching method or a gen- 
eration method for digital data; 

* information concerning a copyright; 

* information concerning the contents of an image (a 
person or the locale of an image); - 

* information concerning a camera used to take a 
photograph: 

* information concerning the setup for a camera (ex- 
posure, shutter speed, focal distance, whether a 
flash was used, etc.); 

* information concerning a resolution unique to a dig- 
ital camera and a mosaic filter; 

* information concerning the name of the maker and 
the model name of the camera, and the type (neg- 
ative/positive, or color/monochrome): 

=1= information concerning the type and the size when 
the original is a book or other printed matter; and 

* information concerning a scanner and a software 
application that was used to scan an image, and the 
operator. 

[0182] An Image View Object in Fig. 8 is an image file 
in which a viewing parameter, which is used to display 
an image, and image data are stored together. The view- 
ing parameter is a set of stored coefficients for adjusting 
the rotation, the enlargement/reduction., the shifting, the 
color conversion and the filtering processing for an im- 
age when it is displayed. In Fig. 8, in a Global Info. Prop- 
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erty Set area, is written a locked attribute list, for exam- 
ple, an index for a maximum image, an index for the 
most altered item, and information concerning the per- 
son who made the last correction. 
[0183] Furthermore, a Source/Result Image Object is 
the substance of the image data, while a Source Object 
is requisite and a Result Image Object is optional. Orig- 
inal image data are stored in the Source Object area, 
and image data obtained by image processing using the 
viewing parameter are stored in the Result Object area. 
[0184] Source/Result Desc. Property Set is a property 
set used to identify the above image data. An image ID, 
a property set for which changes are inhibited, and the 
date and the time of the last update are stored in this 
area. 

[0185] In a Transform Property Set area are stored an 
Affine conversion coefficient used for the rotation, the 
enlargement/reduction and the shifting of an image, a 
color conversion matrix, a contrast adjustment value 
and a filtering coefficient. 

[0186] An explanation will now be given of how image 
data is handled. Employed for this explanation is an im- 
age format that includes a plurality of images having dif- 
ferent resolutions that are obtained by dividing an image 
into a plurality of tiles. 

[0187] In Fig. 10 is shown an example image file that 
is constituted by a plurality of images having different 
resolutions. In Fig. 1 0, an image having the highest res- 
olution consists of X0 columns x Y0 rows, and an image 
having the next highest resolution consists of XO/2 col- 
umns x YO/2 rows. The number of columns and the 
number of rows are sequentially reduced by 1/2 until the 
columns and rows are equal to or smaller than 64 pixels, 
or the columns and the rows are equal. 
[0188] As a result of the layering of image data, the 
number of layers in one image file is required image at- 
tribute information, and the header information and the 
image data, which have been explained for the general 
image format, are also required for an image at each 
layer (see Fig. 6). The number of layers in one image 
file, the width and height of an image at its maximum 
resolution, the width, the height and the color of an im- 
age having an individual resolution, and a compression 
method are stored in the Image Content Property Set 
area (see Fig. 9). 

[0189] The image at a layer at each resolution is di- 
vided into tiles, each of which is 64 x 64 pixels, as is 
shown in Fig. 11. When an image is divided beginning 
at the left upper portion into tiles of 64 x 64 pixels, a 
blank space may occur in one part of a tile at the right 
edge or the lower edge. In this case, the rightmost image 
or the lowermost image is repeatedly inserted to con- 
struct 64 x 64 pixels. 

[0190] In this format, image data for the individual tiles 
are stored by using either JPEG compression, the single 
color, or a non-compressed method. JPEG compres- 
sion is the image compression technique internationally 
standardized by ISO/IEC JTC1/SC29, and thus an ex- 
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planation of this technique will not be given. The single 
color method is a technique whereby only when one tile 
is constructed entirely of the same color the tile is ex- 
pressed as a single color with no individual pixel values 
being recorded. This method is especially effective for 
an image that is generated by computer graphics. 
[01 91] The image data that are thus divided into tiles 
are stored, for example, in the Subimage data stream 
in Fig. 7, and the total number of tiles, the sizes of the 
individual tiles, the location at which data begin, and the 
data compression method are stored in the Subimage 
Header area (see Fig. 12). 

[01 92] In the first and the second embodiments, elec- 
tronic watermark information can be embedded by using 
various methods, such as the well known methods de- 
scribed in : for example, "Hiding of Static Picture Data 
Using Pixel Blocks'\ Shimizu, Numao, Morimoto (IBM, 
Japan), 53rd Information Processing Institute National 
Assembly, IN-11, September 1996; or in "Source 
Spread Spectrum Watermarking for Multimedia", I.J. 
Cox, J. Kilian, T. Leighton andT. Shamoon (NEC), NEC 
Research Institute Technical Report 95-10. 
[01 93] The primary encryption and the secondary en- 
cryption can also be implemented by employing various 
methods, such as an encryption system for changing the 
arrangement of bits in consonance with an encryption 
key; and a hash value and its signature can be provided 
for all data that are to be transmitted. In these embodi- 
ments, the primary encryption and the secondary en- 
cryption are so performed that in the electronic water- 
mark information embedding process the server and the 
user do not need to exchange information. However, 
DES (Data Encryption Standard) cryptography or a 
hash function may be employed to prevent wiretapping 
and the alteration of data across a communication path 
by a third party. 

[0194] Furthermore, in the first and the second em- 
bodiments, the server is in charge of the detection of 
illegal data distribution. However, so long as electronic 
watermark extraction means is provided, any user can 
detect an illegal data distribution and information con- 
cerning a pertinent user even though he or she does 
not know the secret key for the primary encryption and 
the secondary encryption; and when an illegal distribu- 
tion is detected, the user need only notify the server for 
the verification process to be begun. Therefore, the de- 
tection of illegal distributions is not limited to the server. 
[01 95] The server terminal 1 0 can embed in the image 
data not only the user information U but also other in- 
formation as needed, such as copyright information and 
information concerning an image data distribution con- 
dition. In addition, to embed secret information, the serv- 
er terminal 10 need only perform the embedding proc- 
ess after the primary encryption, so that in addition to 
the signature information, information that is affected by 
the primary encryption can be embedded in the image 
data. The user information U is not always embedded 
before the primary encryption, and may be embedded 



after the primary encryption (in this case, the detection 
of the user information U can be performed only by the 
server or a person who knows the secret key used for 
the primary encryption). 

5 [0196] When a plurality of users share a printer or a 
terminal, the user's signature information and the sec- 
ondary encryption may include the signature informa- 
tion and the encryption system for the common printer 
or terminal. The primary encrypted information from the 

io server terminal 10 may be widely distributed across a 
network or by using a CD-ROM, even without it being 
requested by the user terminal 20 based on the contract 
information. 

[0197] The signature information S for the user is not 
75 necessarily generated by the public key encryption 
method, but may be information (e.g., a code number) 
that is defined by the user based on the contracted in- 
formation. 

[0198] In the United States, to employ encryption for 
40 bits or more, a key management office is required to 
manage an encryption key in order to prevent the unau- 
thorized use of the cryptograph. The verification office 
30, therefore, can also serve as a key management of- 
fice. And when the verification office 30 provides ad- 
vance management of the secondary encryption key, 
the verification office 30 can perform by itself the verifi- 
cation processes 1) to 3) by performing the monitoring 
for an illegal image. The primary encryption key of the 
server 10 may be managed either by the verification of- 
fice 30, or by another key management office. And the 
keys of the server terminal 10 and the user terminal 20 
may be generated and distributed by the key manage- 
ment office. 

[01 99] As is apparent from the above explanation, ac- 
cording to the electronic watermark method and the 
electronic information distribution system of the present 
invention, the illegal copying and distribution of digital 
datacan be detected and a culpable person can be iden- 
tified, so that all illegal activities can be prevented. 
Therefore, as regards the illegal distribution of digital da- 
ta, a safe system can be provided. Furthermore, an im- 
age file apparatus can be provided that can file image 
data in which an electronic watermark has been embed- 
ded using the electronic watermark method, and that 
can, in particular, more easily identify embedded elec- 
tronic watermark information. In addition, this system 
can easily be applied for a key management office that 
maintains the anonymity of a user and that prevents the 
unauthorized use of cryptography. 
[0200] The other embodiments of the present inven- 
tion will now be described while referring to the accom- 
panying drawings. 

[0201] A third embodiment will be described first. 
[0202] An electronic watermark method according to 
the present invention is performed by a system 100 
shown in Fig. 1 3. for which an electronic information dis- 
tribution system according to the present invention is ap- 
plied. 
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[0203] The system 100 is a network constituted by 
multiple entities (not shown), including a terminal 10 at 
the server's side (a server terminal) and a terminal 20 
at the user's side (a user terminal). The individual enti- 
ties exchange digital data across the network. 5 
[0204] The server terminal 10 comprises: a contract 
confirmation unit 11 , for receiving data from the user ter- 
minal 20; an electronic watermark embedding unit 12, 
for receiving image data (digital data), for example,; a 
primary encryption unit 13, for receiving the output of 10 
the electronic watermark embedding unit 12; a primary 
decryption unit 14, for receiving data from the user ter- 
minal 20; a hash confirmation unit 1 5, for receiving data 
from the user terminal 20 and data output by the primary 
decryption unit 1 4; and a hash generator 1 6 for receiving * s 
the output of the primary decryption unit 14. The outputs 
of the primary encryption unit 1 3 and the hash generator 
16 are transmitted to the user terminal 20. And the out- 
put of the primary decryption unit 1 4 is transmitted both 
to the hash generator 16 and the user terminal 20. 20 
[0205] The user terminal 20 comprises: a contract 
generator 21 , for transmitting data to the contract con- 
firmation unit 11 of the server terminal 10; a signature 
generator 22; an electronic watermark embedding unit 
23 : for receiving data from the signature generator 22 25 
and from the primary encryption unit 13 of the server 
terminal 10: a secondary encryption unit 24, for receiv- 
ing data from the electronic watermark embedding unit 
23; a hash generator 26, for receiving data from the sec- 
ondary encryption unit 24; a secondary decryption unit 30 
25, for receiving data from the primary decryption unit 
14 of the server terminal 10; and a hash confirmation 
unit 27, for receiving data from the primary decryption 
unit 1 4 and the hash generator 1 6 of the server terminal 
10. The data output by the secondary decryption unit 25 35 
is image data containing an electronic watermark. 
[0206] The data output by the secondary encryption 
unit 24 are transmitted to the primary decryption unit 14 
and to the hash confirmation unit 1 5 of the server termi- 
nal 10, and the data output by the hash generator 26 40 
are also transmitted to the hash confirmation unit 15 of 
the server terminal 10. 

[0207] In the above system 1 00 : information concern- 
ing the primary encryption, such as the method and a 
secret key, is known only by the server, and information 45 
concerning the secondary encryption is known only by 
the user. It should be noted that a property of both the 
primary encryption and the secondary encryption is that 
regardless of whichever encryption is performed first, a 
message can be deciphered by the decryption. so 
[0208] Hereinafter, the encryption process is repre- 
sented by "Ei()'\ the decryption process is represented 
by "DiQ'V and the embedding process concerning an 
electronic watermark is represented by "+". 
[0209] The electronic watermark embedding process 55 
performed by the system 100 will now be explained. 



Embedding Process 
[0210] 

1 ) First, the user terminal 20 issues a request bear- 
ing his or her signature to the server to obtain de- 
sired image data G. The requested data is informa- 
tion (user's signature information) that is generated 
by the contract generator 21 and that is hereinafter 
called contract information. 

2) The contract confirmation unit 11 in the server 
terminal 10 employs the user's signature to verify 
the received contract information, and then em- 
ploys the contract information to prepare the user 
information U. 

The first electronic watermark embedding unit 
1 2 embeds, in the requested image data G, the user 
information U prepared by the contract confirmation 
unit 11. 

The first encryption unit 1 3 performs the prima- 
ry encryption process E1 () for the image data (G + 
U) in which the user information U has been em- 
bedded, and transmits the obtained data to the user 
terminal 20. 

In this fashion the primary encrypted image da- 
ta E1 (G + U) is received by the user terminal 20. 

3) The signature generator 22 of the user terminal 
20 generates signature information S using the se- 
cret key input by the user. 

The electronic watermark embedding unit 23 
embeds the signature information S that is gener- 
ated by the signature generator 22 in the primary 
encrypted image data E1 (G + U) that are received 
from the server terminal 10. 

The secondary encryption unit 24 performs the 
secondary encryption for the primary encrypted im- 
age data E1(G + U) + S in which the signature in- 
formation S is embedded by the electronic water- 
mark embedding unit 23, and transmits the ob- 
tained data to the server terminal 10. 

Therefore, the server terminal 10 receives the 
secondary encrypted image data E2(E1(G + U) + 
S). 

At this time, the hash generator 26 generates 
a hash value H2 for the secondary encrypted image 
data E2(E 1 (G + U) + S), which are to be transmitted 
to the server terminal 10, provides a signature for 
the hash value H2, and transmits to the server ter- 
minal 10 the obtained value that, except for the sig- 
nature information S, contains secret information 
concerning an electronic watermark. 

The secret information is information concern- 
ing the embedding location and the depth for de- 
tecting the electronic watermark, and before trans- 
mission, it is encrypted by another encryption meth- 
od used in common with the server terminal 10. 

The hash value is a value obtained by calculat- 
ing the hash function h(), and the hash function is 
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a compression function that seldom causes a colli- 
sion. A collision in this case would mean that for the 
different values x1 and x2, h(x1) = h(x2). The com- 
pression function is a function for converting a bit 
string having a specific bit length into a bit string s 
having a different bit length. Therefore, the hash 
function is a function h() by which a bit string having 
a specific bit length is converted into a bit string hav- 
ing a different bit length, and for which values xl and 
x2 that satisfy h(x1) = h(x2) seldom exist. Since a 10 
value x that satisfies y = h(x) is not easily obtained 
from an arbitrary value y, accordingly, the hash func- 
tion is one-way function. Specific examples for the 
hash function are an MD (Message Digest) 5 or an 
SHA (Secure Hash Algorithm). is 

4) The hash confirmation unit 15 of the server ter- 
minal 10 confirms that the signature on the hash val- 
ue H2 received from the user terminal 20 matches 
the hash value of the transmission data, and stores 

the hash value H2. 20 

The primary decryption unit 1 4 performs the pri- 
mary decryption for the secondary encrypted image 
data E2(E1 (G + U) + S) received from the user ter- 
minal 20, and transmits the obtained data to the us- 
er terminal 20. 25 

As a result, the user terminal 20 receives image 
data E2(G + U) + D1(E2(S)). 

At this time, the hash generator 16 generates 
a hash value H1 for the data E2(G + U) + D1 (E2(S)) 
that are to be transmitted to the user terminal 20, 30 
provides a signature for the hash value H1, and 
transmits to the user terminal 20 the obtained hash 
value H1 with the above image data. 

5) The hash confirmation unit 27 of the user terminal 

20 confirms that the signature appended to the hash 3S 
value H1 received from the server terminal 10 
matches the hash value of the transmission data, 
and stores the hash value H1 . 

[0211] The secondary decryption unit 25 performs the 40 
secondary decryption for the image data E2(G + U) + 
D1 (E2(S)) received from the server terminal 10, and ex- 
tracts image data Gw for which an electronic watermark 
is provided. 

[0212] The image data Gw that are provided with an 
electronic watermark is represented by 

Gw = G + U + D1(S). 

so 

This means that the watermark (user information) U and 
the watermark information (signature information) S that 
is affected by the primary encryption are embedded in 
the original image data G. 

[0213] The image data Gw that are provided with an 55 
electronic watermark are stored. 

[0214] As is described above, the user information U 
is not affected by the encryption, while the signature in- 
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formation S is affected by the primary encryption per- 
formed by the server. 

[0215] When an illegal copy (an illegal image) is 
found, a culpable unauthorized user is identified by the 
following process (hereinafter the process is referred to 
as a verification process). It should be noted that, as in 
the above references 1 and 2, the image data are not 
affected by the modification or the deletion of electronic 
watermark information. 

Verification Process 

[0216] 

1) First, the server terminal 10 extracts -user infor- 
mation U' from an illegal image Gw' that is discov- 
ered, and also performs primary encryption of the 
data Gw' to extract signature information S'.. 

2) When correct signature information S is extract- 
ed at procedure 1) (S 1 = S), the server 10 submits 
it into the verification office 30, which determines 
that the user has performed an illegal activity. - 

This is because the signature information S" 
can be created only by that user, and the server has 
no information concerning the signature information 
S'. The correctness of the signature information S' 
can be verified by determining whether information 
defined in advance in the contract information can 
be output by employing the public key that corre- 
sponds to the secret key that the user used to gen- 
erate the signature information. 

3) When correct signature information S can not be 
extracted (S' * S) from the illegally distributed image 
Gw\ to request an examination of that image Gw', 
the server terminal 10 submits to the verification "of- 
fice 30 the secondary encrypted image data E2(E1 
(G + U) + S) stored in the verification office 30, the 
hash value H2 and the signature affixed thereto, the 
secret key for the primary encryption, and secret in- 
formation concerning the image Gw'. 

4) Upon receiving the request submitted at proce- 
dure 3), the verification office 30 confirms that the 
correct signature information S can not be extracted 
from the illegal image Gw'. Then, the verification of- 
fice 30 confirms the hash value H2 and its signature 
that were submitted, and verifies that the hash value 
of the secondary encrypted image data E2(E1(G + 
U) + S) matches the hash value H2 that was sub- 
mitted. 

After performing the verification, the verification 
office 30 performs the primary decryption for the 
secondary encrypted image data E2(E1(G + U) + 

5) . and confirms that its hash value matches the 
hash value H1 held by the user. At this time, the 
signature affixed to the hash value H1 is also veri- 
fied. 

5) When these hash values do not match at proce- 
dure 4). the verification office 30 determines that an 
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illegal activity was performed by the user. This 
means that the secret key for the primary encryption 
differs for the procedure 4) of the embedding proc- 
ess and the procedure 4) of the verification process. 

6) When the two hash values match at procedure 5 
4), the verification office 30 requests that the sec- 
ondary decryption for the image data E2(G + U + 

D1 (S)) be performed, and extracts the signature in- 
formation S from the obtained data. 

7) When the correct signature information S can not 10 
be extracted at procedure 6), the verification office 

30 determines that the user performed an illegal ac- 
tivity. 

8) When the correct signature information S is ex- 
tracted at procedure 6), the verification office 30 de- is 
termines that the user did not perform an illegal ac- 
tivity but that the server did. 

[0217] As is described above, according to the third 
embodiment, since the advantages accruing to a server 20 
and to a user conflict, collusion between the two does 
not occur. Therefore, since if the user does not embed 
correct signature information this fact can be detected 
from the reproduced image during the verification proc- 
ess, the user can not perform an illegal activity. And fur- 25 
then since during the embedding process the signature 
information for the user is not available to the server, the 
server can also not perform an illegal activity And finally, 
until an illegal image is discovered there is no need for 
the verification office, as until an illegal image is discov- 30 
ered the fact that an illegal activity has been performed 
can not be established. 

[0218] A fourth embodiment will now be described. 
[0219] Recently, the transfer of money across net- 
works, a fund transfer procedure that is called electronic 35 
cash, has come to be employed. Since as with a regular 
cash payment, the name of the owner of an electronic 
cash transfer is not identified, anonymity is attained. If 
the attainment of anonymity were not possible, a seller 
of a product could obtain from an electronic cash trans- -*o 
fer information concerning a purchaser and the use of 
its product, and the privacy of a user would not be pro- 
tected. Therefore, the protection of the privacy of a user 
is as important as is the protection of a copyright for a 
creator who uses an electronic watermark. ^5 
[0220] In a fourth embodiment, therefore, the ano- 
nymity of a user is provided for a purchase, and when 
an illegality, such as illegal distribution of images, is 
found, it is possible to identify an unauthorized distribu- 
tor, which is the original purpose of an electronic water- so 
mark. This is achieved by for example, a system 200 
shown in Fig. 14. 

[0221] The system 200 has the same structure as the 
system 100 according to the third embodiment, with an 
anonymous public key certificate that is issued by a ver- ss 
ification office 40 being provided for a user terminal 20. 
[0222] Generally, in order to authenticate signature in- 
formation, a certificate issued by an organization called 
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a verification office is added to a public key that is used 
for examining the signature information. 
[0223] The verification office is an organization that 
issues certificates for public keys belonging to users in 
order to provide authentication for public keys in accord- 
ance with the public key encryption system. That is, the 
verification office employs a secret key it owns to pro- 
vide a signature for the public key of a user or for data 
concerning the user, and for this purpose prepares and 
issues a certificate. When a user receives from another 
user a signature that is accompanied by a certificate, 
the user examines the certificate using the public key of 
the verification office to verify the authentication provid- 
ed by the user who transmitted the public key (at least 
the fact that authentication has been provided the user 
by the verification office). Both VeriSign and CyberTrust 
are well known organizations that operate such verifica- 
tion offices. 

[0224] When at procedure 2) of the embedding proc- 
ess in the third embodiment a server examines a signa- 
ture to verify the contract information for a user, the serv- 
er can employ the public key with a signature issued by 
the verification office. 

[0225] However, since the name of the owner of the 
public key is generally written in the certificate, user an- 
onymity is not provided at the time data are purchased. 
[0226] On the other hand, if the verification office 
keeps secret the correspondence of public keys and 
their owners, the name of an owner may not be written 
in the certificate for a public key. A public key for which 
such a certificate is provided is called an "anonymous 
public key with a certificate". 

[0227] In procedure 1 ) of the above described embed- 
ding process, when the user transmits to the server not 
only contract information but also the anonymous public 
key with a certificate so that the contract information for 
the signature and the signature information S can be ex- 
amined, the user can remain anonymous when pur- 
chasing digital data. The server receives the anony- 
mous public key with the certificate as information to be 
used for identifying a user. When an illegal copy is found, 
the server submits the anonymous public key with the 
certificate to the verification office 40 and in turn obtains 
the name of the user to whom the public key corre- 
sponds, so that the user can be identified. 
[0228] Consequently, the procedures 1) and 2) of the 
embedding process and the procedure 1) of the verifi- 
cation process in the third embodiment are modified as 
follows in order both to provide anonymity for a user 
when purchasing digital data and to identify an unau- 
thorized user when the performance of an illegal activity 
is discovered. 

[0229] The embedding process and the verification 
process performed by the system 200 in Fig. 14 will be 
specifically explained. 

[0230] As the same reference numerals as are used 
for the system 100 in Fig. 13 are also employed to de- 
note corresponding or identical components in the sys- 
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tern 200 in Fig. 14, no specific explanation will be given 
for components other than those for whom different ref- 
erence numerals are allocated. 

[0231] And since the processing in the fourth embod- 
iment is the same as that in the third embodiment, ex- $ 
cept for procedures 1 ) and 2) of the embedding process 
and procedure 1 ) of the verification process, no detailed 
explanation of the processing will be given. 

Embedding Process 

[0232] 

1 ) First, in the user terminal 20, a contract generator 
21 provides, for contract information for requesting 
desired image data, a signature that corresponds 
to an anonymous public key with a certificate issued 
by a verification office 40, and together with the 
anonymous public key with the certificate, transmits 
the contract information to the server terminal 10. 

2) In the server terminal 1 0, a contract confirmation 
unit 11 uses the public key of the verification office 
40 to examine the public key of the user following 
which it verifies the signature provided for the con- 
tract information using the anonymous public key of 
the user and prepares user information U by the 
use, at the least : of either the contract information 
or the anonymous public key with the certificate. 

[0233] An electronic watermark embedding unit 12 
embeds, in requested image data G : the user informa- 
tion U that is prepared by the contract confirmation unit 
11. A primary encryption unit 13 performs the primary 
encryption process E1 () for the resultant image data G, 
and transmits the obtained data to the user terminal 20. 
[0234] In this manner the user terminal 20 receives 
primary encrypted image data E1 (G + U). 
[0235] Hereinafter the procedures 3) to 5) of the em- 
bedding process in the third embodiment are performed. 
[0236] In this case also, the user information U is not 
affected by the encryption, while the signature informa- 
tion S is affected by the primary encryption performed 
by the server. 

[0237] When an illegal copy (an illegal image) is dis- 
covered, the following verification process is performed. 

Verification Process 

[0238] 1) The server terminal 10 extracts user infor- 
mation from illegal electronic cash Mw' and also ex- 
tracts signature information S' by performing the primary 
encryption for the illegal electronic cash Mw". In addition, 
the server terminal 10 submits to the verification office 
40 an anonymous public key that is obtained in conso- 
nance with the illegal electronic cash Mw\ the extracted 
user information and the contract information, and re- 
quests the name of the user who corresponds to the 
anonymous public key. 



[0239] Thereafter, the procedures 2) to 8) of the ver- 
ification process in the third embodiment are performed. 
[0240] As is described above, since in this embodi- 
ment, as in the third embodiment, the advantages ac- 
cruing to the server and the user conflict, collusion be- 
tween the two does not occur. Therefore, when the user 
does not embed correct signature information, this fact 
is detected from the reproduced image during the veri- 
fication process, so that the user can not perform an il- 
legal activity. Further, since during the embedding proc- 
ess the server has no access to the signature informa- 
tion of the user, the server also can not perform an illegal 
activity. In addition, the verification office is not neces- 
sary until an illegal image is discovered, as that an illegal 
activity has been performed can not be established be- 
fore an illegal image is discovered. 
[0241] Various data, including image data in the third 
and the fourth embodiment and the hash values ob- 
tained in the electronic watermark embedding process, 
can be stored in the image formats shown in Figs. 6 to 
12. 

[0242] As is described above, according to the third 
and the fourth embodiments, since the advantages ac- 
cruing to the server (the first entity) and the user (the 
second entity) conflict, collusion between the two does, 
not occur Therefore, when the user does not embed 
correct signature information, this fact is detected from 
the reproduced image during the verification process, 
so that the performance of an illegal activity by the user 
can be prevented. Further since during the embedding 
process the server has no access to the signature infor- 
mation of the user, the performance of an illegal activity 
by the server can also be prevented. Further the verifi- 
cation office is not necessary until an illegal image is 
found, as an illegal activity can not be performed before 
an illegal image is found. Therefore, as regards the ille- 
gal distribution of digital data, a safe system can be pro- 
vided, and with this system the anonymity of a user can 
be easily insured. 

[0243] Furthermore, an image file apparatus can be 
provided that can file an image data in which an elec- 
tronic watermark was embedded using the above de- 
scribed electronic watermark method, and that, in par- 
ticular, can more easily identify the embedded electronic 
watermark information. 

[0244] A fifth embodiment of the present invention will 
now be described while referring to Fig. 15. 
[0245] An electronic watermark method according to 
the present invention is performed by a system 100 
shown in Fig. 15, to which is applied an electronic infor- 
mation distribution system according to the present in- 
vention. 

[0246] The system 100 is a network constituted by 
multiple entities (not shown), including a terminal 10 at 
the server's side (a server terminal), a terminal 20 at the 
user's side (a user terminal) and a terminal 30 at the 
verification office side (a verification office). The individ- 
ual entities exchange digital data across the network. 
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[0247] The server terminal 10 comprises: a contract 
confirmation unit 1 1 , for receiving data from the user ter- 
minal 20; an electronic watermark embedding unit 12, 
for receiving image data (digital data), for example; a 
primary encryption unit 13, for receiving the output of 5 
the electronic watermark embedding unit 12; and a pri- 
mary decryption unit 1 4, for receiving data from the user 
terminal 20. The data from the primary encryption unit 
1 3 and the primary decryption unit 1 4 are transmitted to 
the user terminal 20. io 
[0248] The user terminal 20 comprises: a contract 
generator 21 , for transmitting data to the contract con- 
firmation unit 11 of the server terminal 10; a signature 
generator 22; an electronic watermark embedding unit 
23, for receiving data from the signature generator 22 is 
and from the primary encryption unit 13 of the server 
terminal 10: a secondary encryption unit 24, for receiv- 
ing data from the electronic watermark embedding unit 
23; and a secondary decryption unit 25, for receiving da- 
ta from the primary decryption unit 1 4 of the server ter- 20 
minal 10. The data output by the secondary decryption 
unit 25 are image data containing an electronic water- 
mark. The data output by the secondary encryption unit 
24 are transmitted to the primary decryption unit 14 of 
the server terminal 10, and to the verification office ter- 25 
minal 30. 

[0249] The verification office terminal 30 comprises: 
a secondary decryption unit 31, for receiving data from 
the secondary encryption unit 24 of the user terminal 20; 
and an electronic watermark confirmation unit 32, for re- 30 
ceiving data from the secondary decryption unit 31 . The 
data from the electronic watermark confirmation unit 32 
are transmitted to the server terminal 10 and the user 
terminal 20. The data from the second decryption unit 
31 are also transmitted to the primary decryption unit 1 4 35 
of the server terminal 1 0. 

[0250] In the above system 100, information concern- 
ing the primary encryption process, such as the method 
used and a secret key, is only that which is available to 
the server and information concerning the secondary 40 
encryption process is only that which is available to the 
user. It should be noted that a property both of the pri- 
mary encryption process and the secondary encryption 
process is that regardless of whichever encryption proc- 
ess is performed first, a message can be deciphered by 45 
the decryption process. 

[0251] Hereinafter the encryption process is repre- 
sented by "EiO", the decryption process is represented 
by "Di( )" and the embedding process concerning an 
electronic watermark is represented by "+". so 
[0252] The processing performed by the thus ar- 
ranged system 100 will now be explained. First, the em- 
bedding process for an electronic watermark will be ex- 
plained. Embedding Process 

55 

1) First, to obtain desired image data G, the user 
terminal 20 issues to the server terminal 10 a re- 
quest bearing the user's signature. The requested 



data is information (user's signature information) 
that is generated by the contract generator 21 and 
that is hereinafter called contract information.. 

2) The contract confirmation unit 11 in the server 
terminal 10 employs the user's signature to verify 
the received contract information, and then uses the 
contract information to prepare user information U. 
The electronic watermark embedding unit 12 em- 
beds, in the requested image data G, the user in- 
formation U prepared by the contract confirmation 
unit 11. The first encryption unit 13 performs the pri- 
mary encryption process E1 () for the image data (G 
+ U) using the user information U that is embedded, 
and transmits the obtained data to the user terminal 
20. In this fashion, the user terminal 20 receives the 
primary encrypted image data E1 (G + U). 

3) Then, the signature generator 22 of the user ter- 
minal 20 generates signature information S using 
its own secret key. The electronic watermark em- 
bedding unit 23 embeds the signature information 
S, generated by the signature generator 22, in the 
primary encrypted image data E1(G + U) that are 
transmitted (distributed) by the server terminal 10. 
The secondary encryption unit 24 performs the sec- 
ondary encryption of the primary encrypted image 
data E1 (G + U) + S, in which the signature informa- 
tion S is embedded by the electronic watermark em- 
bedding unit 23, and transmits the obtained image 
data to the verification office 30. In this fashion, the 
verification office 30 receives the secondarily en- 
crypted image data E2(E1(G + U) + S). 

At this time, the secondary encryption unit 24 
generates a hash value H2 for the secondary en- 
crypted image data E2(E1(G + U) + S), which are 
to be transmitted to the verification office 30, pro- 
vides a signature for the hash value H2, and trans- 
mits to the verification office 30 the obtained value 
together with the secondary encryption secret key 
and secret information concerning an electronic wa- 
termark, except for the signature information S. 

The secret information is information concern- 
ing the embedding location and the depth for de- 
tecting the electronic watermark, and before trans- 
mission, it is encrypted by another encryption meth- 
od used in common with the verification office 30. 

The hash value is a value obtained by calculat- 
ing the hash function h(), and the hash function is 
a compression function that seldom causes a colli- 
sion. A collision in this case would mean that for the 
different values x1 and x2 : h(x1 ) = h(x2). The com- 
pression function is a function for converting a bit 
string having a specific bit length into a bit string 
having a different bit length. Therefore, the hash 
function is a function h() by which a bit string having 
a specific bit length is converted into a bit string hav- 
ing a different bit length, and for which values x1 
and x2 that satisfy h(x1 ) = h(x2) seldom exist. Since 
a value x that satisfies y = h(x) is not easily obtained 
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from an arbitrary value y, accordingly, the hash func- 
tion is a one-way function. Specific examples for the 
hash function are an MD (Message Digest) 5 or an 
SHA (Secure Hash Algorithm). 

4) Following this, the secondary decryption unit 31 
of the verification office 30 verifies the signature af- 
fixed to the hash value H2 received from the user 
terminal 20, and confirms that the hash value H2 
matches the hash value of the transmitted data. Af- 
ter these confirmations, the secondary decryption 
unit 31 decrypts the secondary encrypted image da- 
ta E2 (E1 (G + U) + S), and extracts the signature 
information S from the image data. The electronic 
watermark confirmation unit 32 examines the sig- 
nature information S. If the signature information S 
is correct, verification information is provided with 
the signature of the verification office 30. Finally, the 
verification office 30 transmits to the server terminal 
10 the secondary encrypted image data E2 (E1 (G 
+ U) + S) that are received from the user terminal 
20, the hash value H2 and the signature therefor 
and the verification information concerning these 
data and the signature therefor. 

5) Next, the primary decryption unit 1 4 of the server 
terminal 1 0 confirms the verification information and 
the accompanying signature received from the ver- 
ification office 30, and verifies the secondary en- 
crypted image data E2 (E1 (G + U) + S), the hash 
value H2 and its affixed signature. After these con- 
firmations, the primary decryption unit 14 performs 
the primary decryption for the secondary encrypted 
image data E2 (E1 (G + U) + S) to obtain the image 
data E2 (G + U) + D1 (E2 (S)), which are then trans- 
mitted to the user terminal 20. 

6) The secondary decryption unit 25 of the user ter- 
minal 20 performs the secondary decryption for the 
image data E2 (G + U) + D1 (E2 (S)) received from 
the server terminal 10, and extracts image data Gw 
in which is embedded an electronic watermark. The 
image data in which is embedded the electronic wa- 
termark is therefore represented by Gw = G + U + 
D1 (S). This indicates that the user information U 
and the user's signature information S that is affect- 
ed by the primary encryption are embedded as wa- 
termark information in the original image data G. 

[0253] If at procedure 4) correct watermark informa- 
tion is not verified by the verification office 30 due to the 
performance of an illegal activity by the server or the 
user, notifications to that effect are forwarded to the 
server terminal 10 and to the user terminal 20. Even 
when the transaction is halted at this time, the server 
can prevent the user from illegally acquiring image data 
while it can not obtain a payment for the data, and the 
user does not need to pay the server the cost of the im- 
age data so long as it can not obtain the data. Therefore, 
the performance of an illegal activity is presents no prob- 
lem for either the server or the user. When an illegal copy 



(an illegal image) is found, a culpable person can be 
easily identified by the following simple verification proc- 
ess. 

s Verification Process 
[0254] 

1) First, the server terminal 10 extracts user infor- 
ms mation LT from an illegal image Gw' = G + LT + D1 

(S') that is discovered, and further extracts signa- 
ture information S* by performing the primary en- 
cryption for the illegal image Gw'. 

2) When correct signature information is extracted 
15 (S 1 = S), the server terminal 10 submits that 'to the 

verification office 30 to ascertain whether the user 
has performed and illegal activity. This is possible 
because the correct signature information S can be 
created only by that user, and the server has no ac- 
20 cess to the signature information S. 

3) If correct signature information can not be ex- 
tracted (S' * S), the server terminal 10 submits it to f 
the verification office 30 to ascertain whether the 

server has performed an illegal activity. l 

25 

[0255] According to the electronic watermark method 
of the fifth embodiment, since both the server terminal 
1 0 and the user terminal 20 perform the digital data en- 
cryption process and the electronic watermark informa- 

30 tion embedding process, even if either the server or the . ^ 

user independently illegally copies digital data, such an 
activity can be easily detected and a culpable person 
can be easily identified. Further, since the advantages 
accruing to the sever and to the user conflict, collusion 

35 between the two does not occur. And even if the two . 
were in collusion, an illegal activity could be easily de- 
tected. The security of this process is based on that the 
verification office being trustworthy. 
[0256] A sixth embodiment of the present invention 

40 will now be described. 

[0257] Recently, the transfer of money across net- 
works, a fund transfer procedure that is called electronic 
cash, has come to be employed. Since as with a regular 
cash payment, the name of the owner of an electronic 

45 cash transfer is not identified, anonymity is attained. If 
the attainment of anonymity were not possible, a seller 
of a product could obtain from an electronic cash trans- 
fer information concerning a purchaser and the use of 
its product, and the privacy of a user would not be pro- 

so tected. Therefore, the protection of the privacy of a user 
is as important as is the protection of a copyright for a 
creator who uses an electronic watermark. 
[0258] In a sixth embodiment, therefore, the anonym- 
ity of a user is provided for a purchase, and when an 

55 illegality, such as illegal distribution of images, is found, 
it is possible to identify an unauthorized distributor, 
which is the original purpose of an electronic watermark. 
This is achieved by, for example, a system 200 shown 
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in Fig. 16. 

[0259] The system 200 has the same structure as the 
system 100 according to the fifth embodiment, with an 
anonymous public key certificate that is issued by a ver- 
ification office 40 being provided for a user terminal 20. 5 
[0260] Generally, in ordertoauthenticate signature in- 
formation, a certificate issued by an organization called 
a verification office is added to a public key that is used 
for examining the signature information. 
[0261] The verification office is an organization that 10 
issues certificates for public keys belonging to users in 
order to provide authentication for public keys in accord- 
ance with the public key encryption system. That is, the 
verification office employs a secret key it owns to pro- 
vide a signature for the public key of a user or for data ?5 
concerning the user, and for this purpose prepares and 
issues a certificate. When a user receives from another 
user a signature that is accompanied by a certificate, 
the user examines the certificate using the public key of 
the verification office to verify the authentication provid- 20 
ed by the user who transmitted the public key (at least 
the fact that authentication has been provided the user 
by the verification office). Both VeriSign and CyberTrust 
are well known organizations that operate such verifica- 
tion offices. , 25 
[0262] When at procedure 2) of the embedding proc- 
ess in the fifth embodiment a server examines a signa- 
ture to verify the contract information for a user, the serv- 
er can employ the public key with a signature issued by 
the verification office 40 in Fig. 16. However, since the 30 
name of the owner of the public key is generally written 
in the certificate, user anonymity is not provided at the 
time data are purchased. 

[0263] On the other hand, if the verification office 40 
keeps secret the correspondence of public keys and 35 
their owners, the name of an owner may not be written 
in the certificate for a public key. An anonymous certifi- 
cate for a public key is hereinafter called an "anonymous 
public key certificate", and a public key for which such 
a certificate is provided is called an "anonymous public *o 
key with a certificate". In procedure 1) of the above de- 
scribed embedding process, when the user terminal 20 
transmits to the server terminal 10 not only contract in- 
formation but also the anonymous public key with a cer- 
tificate so that the contract information for the signature 45 
and the signature information S can be examined, the 
user can remain anonymous when purchasing digital 
data. 

[0264] The server terminal 10 receives the anony- 
mous public key with the certificate as information to be 50 
used for identifying a user. When an illegal copy is found, 
the server terminal 10 submits the anonymous public 
key with the certificate to the verification office 40 and 
in turn obtains the name of the user to whom the public 
key corresponds, so that the user can be identified. Con- $ s 
sequently, the procedures 1) and 2) of the embedding 
process and the procedure 1 ) of the verification process 
in the fifth embodiment are modified as follows in order 



both to provide anonymity for a user when purchasing 
digital data and to identify an unauthorized user when 
the performance of an illegal activity is discovered. 
[0265] The embedding process and the verification 
process performed by the system 200 in Fig. 16 will be 
specifically explained. 

Embedding Process 

[0266] 

1 ) First, in the user terminal 20, a contract generator 
21 provides, for contract information for requesting 
desired image data, a signature that corresponds 
to an anonymous public key with a certificate issued 
by a verification office 40, and together with the 
anonymous public key with the certificate, transmits 
the contract information to the server terminal 10. 

2) In the server terminal 10, a contract confirmation 
unit 11 uses the public key of the verification office 
40 to examine the public key of the user, following 
which it verifies the signature provided for the con- 
tract information using the anonymous public key of 
the user and prepares user information U by the 
use, at the least, of either the contract information 
or the anonymous public key with the certificate. An 
electronic watermark embedding unit 12 embeds, 
in requested image data G : the user information U 
that is prepared by the contract confirmation unit 1 1 . 
A primary encryption unit 1 3 performs the primary 
encryption process E1 () for the resultant image data 
G, and transmits the obtained data to the user ter- 
minal 20. In this manner the user terminal 20 re- 
ceives primary encrypted image data E1(G + U). 

[0267] Since sequential procedures 3) to 6) are the 
same as those in the fifth embodiment, no explanation 
for them will be given. In procedure 3), however, the sec- 
ondary encryption unit 24 of the user terminal 20 em- 
ploys a different encryption method used in common 
with the server terminal 10 to encrypt the secret infor- 
mation, except for the signature information S, concern- 
ing an electronic watermark, and transmits to the verifi- 
cation office 30 the obtained secret information together 
with a secret key for the secondary encryption. 

Verification Process 

[0268] 1) The server terminal 10 extracts user infor- 
mation U' from an illegal image Gw* that is discovered, 
and performs the primary encryption of the image Gw 1 
to extract signature information S\ Further, the server 
terminal 1 0 submits to the verification office 40 the user 
information LT extracted from the illegal image Gw', and 
the anonymous public key obtained from the contract 
information, and requests the name of a user who cor- 
responds to the anonymous public key. 
[0269] The sequential procedures 2) and 3) are the 
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same as those in the fifth embodiment. That is, when 
correct signature information is extracted (S' = S), the 
verification office 40 determines that the user has per- 
formed an illegal activity, and when correct signature in- 
formation is not extracted (S' * S), it determines that the 
server performed an illegal activity. 
[0270] As is described above, according to the sixth 
embodiment, the user can remain anonymous, even so 
far as the verification office is concerned, when purchas- 
ing digital data. 

[0271] Various data, to include image data in the fifth 
and the sixth embodiments and a hash value obtained 
during the embedding process for an electronic water- 
mark, can be stored in one of the image formats shown 
in Figs. 6 and 7. According to the following general im- 
age format, for example, image data that are transmitted 
at individual steps can be stored in an image data por- 
tion and a corresponding hash value and its signature 
can be stored in an image header portion. Furthermore, 
a hash value and its signature, which the user must re- 
tain, and the secondary encryption key can be stored in 
the image header portion, while image data having an 
electronic watermark can be stored in the image data 
portion. 

[0272] As is apparent from the above explanation, ac- 
cording to the electronic watermark method and the 
electronic information distribution system in the fifth and 
the sixth embodiments, a means or an entity for verifying 
the correctness of at least one of an encryption process 
and the electronic watermark embedding process is pro- 
vided separately from the means or the entities for per- 
forming an encryption process and the electronic water- 
mark embedding process. The illegal copying and dis- 
tribution of digital data and a culpable person can be 
identified, so that all illegal activities can be prevented. 
As a result, as regards the illegal distribution of digital 
data, a safe system can be provided. Furthermore, an 
image file apparatus can be provided that can file an 
image data in which an electronic watermark is embed- 
ded by the electronic watermark method, and that can, 
in particular, more easily identify the embedded elec- 
tronic watermark information. In addition, this system 
can be easily applied for a key management office that 
maintains the anonymity of a user and that prevents un- 
authorized use of cryptography. 

[0273] A seventh and an eighth embodiments will now 
be described while referring to the accompanying draw- 
ings. 

[0274] First, a seventh embodiment will be explained. 
[0275] An electronic watermark method according to 
the present invention is performed by a system 100 
shown in Fig. 17, to which an electronic information dis- 
tribution system according to the present invention is ap- 
plied. 

[0276] The system 100 is a network constituted by 
multiple entities (not shown), including a terminal 10 at 
the server's side (a server terminal) and a terminal 20 
at the user's side (a user terminal). The individual enti- 



ties exchange digital data across the network. 
[0277] An electronic watermark method or a public 
key encryption method, for example, is applied for the 
system 100. 

5 [0278] The server terminal 10 comprises: a primary 
encryption unit 1 3, for receiving image data (digital data) 
G and an encryption key (public key) input by a server, 
for example; a primary decryption unit 1 4 : for receiving 
data from the user terminal 20 and a decryption key (se- 

10 cret key) input by the server; and an electronic water- 
mark embedding unit 12, for receiving the output of the 
primary decryption unit 1 4. The outputs of the electronic 
watermark embedding unit 12 and the primary encryp- 
tion unit 1 3 are transmitted to the user terminal 20. 

*5 [0279] The user terminal 20 comprises: a secondary 
encryption unit 24, for receiving data from the primary 
encryption unit 13 of the server terminal 10 and an en- 
cryption key (public key) that is input by a user: a signa- 
ture generator 22, for receiving a decryption key (secret 

20 key) input by the user: and a secondary decryption unit 
25, for receiving data from the electronic watermark em- 
bedding unit 12 of the server terminal 10 and the de- 
cryption key (secret key) input by the user. The data from 
the secondary encryption unit 24 are transmitted to the 

25 primary decryption unit 1 4 of the server terminal 10, the 
data from the signature generator 22 are transmitted to 
the electronic watermark embedding unit 1 2 of the serv- 
er terminal 1 0, and the data from the secondary decryp- 
tion unit 25 are output as image data with an electronic 

30 watermark. 

[0280] With the above arrangement, the system 100 
provides the following features: 

1 ) The contents of the data G are kept secret from 
35 third parties, persons other than the server and the 

user. 

2) In the protocol, the server terminal 10 performs, 
for example, an electronic watermark embedding 
process and does not transmit the data G to the user 

JO terminal 20 until the data has been processed. 

3) The protocol that inhibits the imputation of a 
crime to another person is employed to prevent the 
illegal distribution of data by the server and the user 

45 [0281] Hereinafter the encryption process is repre- 
sented by "Ei()" 5 the decryption process is represented 
by "Di()", and the embedding process concerning an 
electronic watermark is represented by multiplication. 
The protocol for the system 100 will now be described. 

50 

1 ) First, the primary encryption unit 1 3 of the server 
terminal 10 encrypts image data G by using the en- 
cryption key (public key) input by the server. 

The obtained message Cs is represented by 

55 

Cs = E1 (G). 
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The encrypted message Cs is transmitted to 
the secondary encryption unit 24 of the user termi- 
nal 20. 

2) The second encryption unit 24 of the user termi- 
nal 20 encrypts the message Cs received from the s 
server terminal 1 0 by using the encryption key (pub- 
lic key) input by the user. 

The obtained message Csu is represented as 

10 

Csu = E2 (Cs) = E2 (E1 (G)). 
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ture information) S that is affected by the secondary 
encryption is embedded in the original image data 
G. 

[0282] When RSA cryptography is employed to imple- 
ment the protocols 1 ) to 4), the processing is performed 
as follows. 

[0283] For the following explanation that is given while 
referring to Fig. 1 8, assume that the public keys of the 
server and the user are el and e2 and the secret keys 
are d1 and d2. 



The signature generator 22 generates signa- 
ture information S using the decryption key (secret 
key) input by the user. 15 

The encrypted message Csu obtained by the 
secondary encryption unit 24 is transmitted to the 
primary decryption unit 1 4 of the server terminal 1 0, 
and the signature information S generated by the 
signature generator 22 is transmitted to the elec- 20 
tronic watermark embedding unit 12 of the server 
terminal 10. 

3) Upon receiving the encrypted message Csu from 
the secondary encryption unit 24 of the user termi- 
nal 20 : the primary decryption unit 14 of the server 25 
terminal 1 0 decrypts the message Csu by using the 
decryption key (secret key) input by the server. 

The obtained message D1 is represented by 

30 

D1 (Csu) = D1 (E2 (E1 (G))) = E2 (G). 

The electronic watermark embedding unit 12 
embeds the signature information S received from 
the user terminal 20 in the decrypted message D1 35 
(Csu) obtained by the primary decryption unit 14, 
and transmits the resultant message to the second- 
ary decryption unit 25 of the user terminal 20. 

Therefore, the data Cu to be transmitted to the 
secondary decryption unit 25 of the user terminal 40 
20 is represented by 

Cu = D1 (Csu)-S = E2 (G)-S. 

45 

4) The secondary decryption unit 25 of the user ter- 
minal 20 employs the decryption key (secret key) 
input by the user to decrypt the data Cu that are 
received from the electronic watermark embedding 
unit 1 2 of the server terminal 1 0, and extracts image so 
data M which have an electronic watermark. 

Therefore, the image data M which has an elec- 
tronic watermark is represented by 

55 

M = D2 (Cu) = D2 (E2 (G)-S) = G-D2 (S). 
This means that the watermark information (signa- 



1 ) First, the server terminal 1 0 transmits to the user 
terminal 20 a message Cs obtained by encrypting 
image data G using the public key el of the server. 

The encrypted message Cs (first data) is rep- 
resented by 

Cs = G e1 . 

2) Then, the user terminal 20 transmits to the server 
terminal 10 a message Csu obtained by encrypting 
the message Cs using the public key e2 of the user 

The encrypted message Csu is represented by 

„ ,_e1 x e2 
Csu = (G ) . 

The signature information S (second data) is al- 
so transmitted. 

3) The server terminal 10 transmits to the user ter- 
minal 20 data Cu obtained by embedding the sig- 
nature information S in message Csu d1 , which is ac- 
quired by decrypting the encrypted message Csu 
using the secret key dl of the server. 

The data Cu (third data) is represented by 

Cu = Csu d1 -S = G e2 -S. 

4) Then ; the user terminal 20 finally provides for us- 
er data (image data M with an electronic watermark) 
that is obtained by decrypting the data Cu using the 
secret key d2 of the user The data is represented by 

Cu d2 = (G e2 .S) d2 = G.S d2 . 

[0284] As is described above, since in the seventh 
embodiment the image data G are always encrypted be- 
fore transmission, the above described feature 1) can 
be provided. 

[0285] In addition, since in procedure 3) the server 1 0 
performs the electronic watermark embedding process 
for the signature information S, feature 2) can be imple- 
mented. 

[0286] Since the data that the user finally obtains in- 
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eludes the signature information S that is signed using 
the secret key 62 that is known only by the user, the 
server can not counterfeit it and illegally distribute the 
final data. 

[0287] Whether the electronic watermark embedding s 
process has been correctly performed by the server can 
be ascertained by determining at the user's side wheth- 
er the following equation has been established 

70 

Csu = (Cu/S) . 

[0288] Whether data are illegally distributed can be 
determined by examining the extracted embedded in- 
formation (signature information) S d2 using the public is 
key e2 of the user. 

[0289] An eighth embodiment of the present invention 
will now be described. 

[0290] When, for example, there are multiple users for 
one server, the server adds non-encrypted information 20 
for identifying a user to image data for which an elec- 
tronic watermark is provided. 

[0291] An example arrangement of such a system is 
shown in Fig. 1 9. 

[0292] A system 200 is the same as the system 100 25 
in the seventh embodiment, except that an additional 
secondary encryption unit 18 is provided for the server 
terminal 10 : and a specific information generator 28 is 
additionally provided for the user terminal 20. 
[0293] In the server terminal 10, the secondary en- 30 
cryption unit 18 receives data from the specific informa- 
tion generator 28 of the user terminal 20 and the encryp- 
tion key (public key) from the user. The data from the 
secondary encryption unit 18 are supplied to an elec- 
tronic watermark embedding unit 12. 35 
[0294] With this arrangement, the system 200 can im- 
plement the above described features 1), 2) and 3), 
even when it must cope with multiple users. 
[0295] The protocol for the system 200 will now be ex- 
plained. 40 
[0296] The same reference numerals as are used for 
the system 100 in Fig. 17 are also used to denote the 
corresponding or identical components in the system 
200 in Fig. 19, and no detailed explanation for them will 
be given. • -*s 

1 ) First, the primary encryption unit 1 3 of the server 
terminal 1 0 encrypts the image data G using the en- 
cryption key (public key) input by the server and 
transmits the encrypted message Cs (= E1 (G)) to so 
the secondary encryption unit 24 of the user termi- 
nal 20. 

2) The secondary encryption unit 24 of the user ter- 
minal 20 employs the encryption key (public key) 
input by the user to encrypt the message Cs-re- 55 
ceived from the primary encryption unit 13 of the 
server terminal 10, and transmits the obtained mes- 
sage Csu (= E2 (Cs) = E2 (E1 (G)) to the primary 



decryption unit 14 of the server terminal 10. 

The signature generator 22 generates signa- 
ture information S using the decryption key (secret 
key) input by the user and transmits it to the elec- 
tronic watermark embedding unit 12 of the server 
terminal 10. 

Furthermore, the specific information generator 
28 generates information T that includes the public 
key that corresponds to the secret key of the user 
i.e., information (specific information) T for specify- 
ing a user, and transmits the information T to the 
secondary encryption unit 1 8 of the server terminal 
10. 

3) The primary decryption unit 14 of the server ter- 
minal 10 employs the decryption key (secret key) 
input by the server to decrypt the message Csu that 
is received from the secondary encryption unit 24 
of the user terminal 20, and transmits the decrypted 
message D1 (Csu) = D1 (E2(E1 (G))) = E2(G) to the 
electronic watermark embedding unit 12. 

In addition, the secondary encryption unit 18 
encrypts the specific information T which is re- 
ceived from the specific information generator 28 of 
the user terminal 20, by using the user's encryption 
key (public key) that is included in the specific infor- 
mation T and transmits the obtained message E2 
(T) to the electronic watermark embedding unit 12. 

The electronic watermark embedding unit 12 
embeds, in the decrypted message D1(Csu) ob- 
tained by the primary decryption unit 14 : the en- 
crypted message E2(T) obtained by the secondary 
encryption unit 18 and the signature information S 
received from the signature generator 22 of the user 
terminal 20, and transmits the resultant message to 
the secondary decryption unit 25 of the user termi- 
nal 20. 

Therefore, the data Cu transmitted to the sec- 
ondary encryption unit 25 of the user terminal 20 is 
represented by 

Cu = D1(Csu)-E2(T).S = E2(G)-E2(T)-S. 

4) The secondary encryption unit 25 of the user 
server 20 decrypts the data Cu received from the 
server terminal 10 using the decryption key (secret 
key) input by the user and extracts image data M 
for which an electronic watermark is provided. 

The image data M for which an electronic wa- 
termark is provided is represented by 

M = D2(Cu) = D2(E2(G)*E2(T)-S) = G-T-D2(S). 

This means that the watermark information (signa- 
ture information) S that is affected by the "secondary 
decryption is embedded in the original image data 
G and the non-encrypted specific information T. 
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[0297] When the RSA cryptography is employed to 
implement the protocols 1) to 4), the processing is pre- 
formed as follows. 

[0298] For the following explanation that is given while 
referring to Fig. 20, assume that the public keys of the 
server and the user are e1 and e2 and the secret keys 
are d1 and d2. 

1 ) First, the server terminal 1 0 transmits to the user 
terminal 20 message Cs (= G e1 : first data) that is 
obtained by encrypting image data G using the pub- 
lic key el of the server. 

2) Then, the user terminal 20 transmits to the server 
terminal 10 message Csu (= (G e1 ) e2 ) that is ob- 
tained by encrypting the message Cs using the pub- 
lic key e2 of the user. 

The signature information S and specific infor- 
mation T (second data) are also transmitted. 

3) The server terminal 1 0 transmits to the user ter- 
minal 20 data Cu (= Csu d1 -T e2 -S = G e2 -T e2 -S: third 
data), which is obtained by decrypting the encrypt- 
ed message Csu using the secret key dl of the serv- 
er, by encrypting the signature information S and 
the specific information T using the public key e2 of 
the user, and by embedding the obtained encrypted 
message T e2 in the obtained decrypted message 
Csu d1 . 

4) Then, the user terminal 20 finally provides for a 
user data (image data M with an electronic water- 
mark) that is obtained by decrypting the data Cu us- 
ing the secret key d2 of the user. The data is repre- 
sented by 



Cu d2 = (G e2 .S) d2 = G.S d2 . 



[0299] As is described above, in the eighth embodi- 
ment as in the seventh embodiment, the features 1), 2) 
and 3) can be implemented. 

[0300] In this embodiment, the data M that the user 
finally obtains includes non-encrypted information T for 
specifying a user. Therefore, when the data M is illegally 
distributed to a user, that user who received the data M 
can be identified by using the specific information T in- 
cluded in the data M, and the encrypted signature infor- 
mation S d2 can be examined using the public key of the 
thus identified user. As a result, the illegal distribution 
od data can be prevented, regardless of whether there 
are multiple users. 

[0301] In addition, since the server can have no 
knowledge of the original image data for the signature 
information S and the specific information T that are em- 
bedded and are to be decrypted, it is also possible to 
provide the feature "since the user can decrypt encrypt- 
ed image data G without the notifying the server the pri- 
vacy of the user can be protected". 
[0302] In the eighth embodiment, the user transmits 
the signature information S and the specific information 



T to the server separately. However, the information T 
for identifying a user may be included in the signature 
information S. Thus, since the specific information T 
need not be transmitted separately, the structure can be 
s simplified. 

[0303] The public key used for examining the image 
data and the signature in the seventh and the eighth em- 
bodiments can be stored in one of the formats in Figs. 
6 to 12. 

10 [0304] As is described above, according to this em- 
bodiment, since the first data (original data) are always 
the encrypted data, the contents of the first data can be 
kept secret from third parties, persons other than the 
server and the user. 

15 [0305] Furthermore, since the processing (electronic 
watermark embedding process for the signature infor- 
mation, etc.) is performed by the server side (first entity), 
transmission to the user (second entity) of the first data 
(original data) in the unprocessed state can be prevent- 

20 ed. 

[0306] The final data obtained by the user (second en- 
tity) includes the second data (signature information, 
etc.) signed using the secret key that only the user 
knows, the server (first entity) can neither forge it nor 

25 illegally distribute the final data. Furthermore, the illegal 
distribution of data can be detected by examining the 
second data (signature information, etc.) using the pub- 
lic key of the user (second entity). As a result, the illegal 
distribution of data by the server (first entity) and by the 

30 user (second entity) can be prevented. 

[0307] Therefore, the illegal distribution of data can 
be fully prevented, and data can be safely maintained. 
[0308] The present-invention can be implemented as 
a computer program operating on a standard computer 

35 and thus can be embodied as a storage medium carry- 
ing computer implementable instructions or an electrical 
signal carrying computer implementable instructions e. 
g. downloaded computer code. 

[0309] Many widely different embodiments of the 
40 present invention may be constructed without departing 
from the scope of the present invention. It should be un- 
derstood that the present invention is not limited to the 
specific embodiments described in the specification, ex- 
cept as defined in the appended claims. 

45 

Claims 

1 . An electronic watermarking method comprising the 
50 steps of: 

(a) embedding an electronic watermark in data; 
and 

(b) at least performing either an encryption 
55 process or a decryption process for said data 

in which electronic watermark information is 

embedded. 
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2. An electronic watermark method comprising the 
steps of: 

(a) embedding electronic watermark informa- 
tion in data and encrypting the obtained data; s 
and 

(b) embedding different electronic watermark 
information in said data that have been encrypt- 
ed. 

w 

3. An electronic watermark method according to claim 
2, wherein said data in which said different electron- 
ic watermark information is to be embedded are en- 
crypted in which said specific electronic watermark 
information has been embedded. '5 

4. An electronic watermark method according to claim 
3.. wherein said different electronic watermark infor- 
mation is embedded in said data after said data 
have been encrypted using a different encryption 20 
method. 

5. An electronic watermark method comprising the 
step of: 

embedding different information as electronic 25 
watermark information in common data before and 
after encryption is performed for said common data. 

6. An electronic watermark method : used for a net- 
work, comprising a plurality of entities, wherein pro- 30 
vided separately are an entity for embedding an 
electronic watermark in encrypted data that are ex- 
changed by said plurality of entities, and an entity 

for performing an encryption process and a corre- 
sponding decryption process. 35 

7. An electronic watermark method according to claim 

1 , wherein said encrypted data are image data. 

8. An electronic watermark method according to claim *o 

2, wherein said encrypted data are image data. 

9. An electronic watermark method according to claim 
5, wherein said encrypted data are image data. 

45 

10. An electronic watermark method according to claim 
6 : wherein said encrypted data are image data. 



11. An electronic information distribution system, which 

exchanges digital information across a network sys- so 
tern constituted by a plurality of entities, comprising: 



12. An electronic information distribution system 
wherein, for the exchange of digital information be- 
tween a first entity and a second entity in a network 
that includes a plurality of entities, said first entity 
receives encrypted information from said second 
entity, embeds electronic watermark information in 
said encrypted information and transmits the result- 
ant information to said second entity, and said sec- 
ond entity performs a corresponding decryption 
process for said encrypted information, received 
from said first entity. 

13. An electronic information distribution system 
wherein, for the exchange of digital information by 
a first entity and a second entity across ; a network 
system constituted by a plurality of entities, said first 
entity embeds electronic watermark information in 
information and performs a first encryption process 
for said information, and transmits the resultant in- 
formation to said second entity: wherein said sec- 
ond entity performs a second encryption process for 
said information received from said first entity and 
transits the resultant information to said first entity: 
wherein said first entity performs a first decryption 
process, corresponding to said first encryption 
process, for said information received from said 
second entity, and embeds electronic watermark in- 
formation in the resultant information and transmits 
the obtained information to said second entity; and 
wherein said second entity performs a second de- 
cryption process, corresponding to said second en- 
cryption process, for said information received from 
said first entity. 

14. An electronic information distribution system- ac- 
cording to claim 11, wherein said electronic water- 
mark information embedded by said first entity at 
the least includes information concerning said sec- 
ond entity. 

15. An electronic information distribution system ac- 
cording to claim 12, wherein said electronic water- 
mark information embedded by said first entity at 
the least includes information concerning said sec- 
ond entity. 

16. An electronic information distribution system ac- 
cording to claim 13, wherein said electronic water- 
mark information embedded by said first entity at 
the least includes information concerning said sec- 
ond entity. 

17. An electronic information distribution system ac- 
cording to claim 11, wherein said electronic water- 
mark information embedded by said first entity at 
the least includes information concerning digital da- 
ta to be transmitted. 



a first entity for embedding electronic informa- 
tion for said digital data; and 

a second entity for performing an encryption 55 
process and a corresponding decryption proc- 
ess for said digital data. 
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18. An electronic information distribution system ac- 
cording to claim 12, wherein said electronic water- 
mark information embedded by said first entity at 
the least includes information concerning digital da- 
ta to be transmitted. 

19. An electronic information distribution system ac- 
cording to claim 13, wherein said electronic water- 
mark information embedded by said first entity at 
the least includes information concerning digital da- 
ta to be transmitted. 

20. An electronic information distribution system ac- 
cording to claim 11 , wherein said first entity exam- 
ines a signature of said second entity by using an 
anonymous public key having a certificate that is is- 
sued by a verification office. 

21. An electronic information distribution system ac- 
cording to claim 12, wherein said first entity exam- 
ines a signature of said second entity by using an 
anonymous public key having a certificate that is is- 
sued by a verification office. 

22. An electronic information distribution system ac- 
cording to claim 1 3, wherein said first entity exam- 
ines a signature of said second entity by using an 
anonymous public key having a certificate that is is- 
sued by a verification office. 

23. An image file apparatus, which stores, as image da- 
ta, image information obtained by decrypting image 
information for which encryption has been per- 
formed, and electronic watermark information that 
is added to said image information while said elec- 
tronic watermark information is encrypted and that 
is decrypted using said image information. 

24. An image file apparatus according to claim 23, 
wherein key information concerning said encryption 
is stored separately from said image data. 

25. An electronic watermark method, wherein an entity 
for performing an encryption process and an elec- 
tronic watermark embedding process embeds an 
electronic watermark for information at least either 
before or after said information is encrypted. 

26. An electronic watermark method according to claim 

25, wherein said entity is an entity for receiving in- 
formation. 

27. An electronic watermark method according to claim 

26, wherein said entity transmits, to an information 
provision entity, information that is encrypted in 
which an electronic watermark has been embed- 
ded. 



28. An electronic watermark method according to claim 
27, wherein said entity further transmits, to said in- 
formation provision entity, a value that is obtained 
by transforming, using a one-way compression 

5 function, said information that is encrypted in which 

an electronic watermark has been embedded. 

29. An electronic watermark method according to claim 
25, wherein said entity receives information that pri- 

io marily is encrypted in advance, and performs a sec- 
ondary encryption process and an electronic water- 
mark embedding process for said encrypted infor- 
mation. 

is 30. An electronic watermark method comprising the 
steps of: 

(a) receiving information at an entity; and 

(b) embedding an electronic watermark in said 
20 information. 

31 . An electronic watermark method according to claim 

30, wherein said entity transmits to an information 
provision entity said information in which said elec- 
ts tronic watermark has been embedded. 

32. An electronic watermark method according to claim 

31 , wherein said information provision entity em- 
beds in said information an electronic mark that dif- 

30 fers from said electronic watermark. 

33. An electronic watermark method according to claim 
25, wherein said information is image information. 

35 34. An electronic watermark method according to claim 
30, wherein said information is image information. 

35. An electronic watermark method for employing a 
one-way compression function to examine the le- 

^o gality of at the least either an encryption process or 
an electronic watermark embedding process. 

36. An electronic watermark method used for a network 
system that includes a plurality of entities, wherein, 

45 for the exchange of digital data by a first entity and 
a second entity at the least of said plurality of enti- 
ties, said first entity embeds an electronic water- 
mark in said digital information before or after per- 
forming a first encryption process and transmits the 

so resultant digital information to said second entity, 
and said second entity embeds an electronic water- 
mark in said digital information received from said 
first entity before or after a second encryption proc- 
ess. 

55 

37. An electronic watermark method used for a network 
system that includes a plurality of entities, wherein, 
for the exchange of digital data by at least a first 
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entity and a second entity of said plurality of entities, 
before a first encryption said first entity performs an 
electronic watermark embedding process for said 
digital information and transmits the resultant digital 
information to said second entity; wherein, before a 5 
second encryption said second entity, without de- 
crypting said digital information, performs an elec- 
tronic watermark embedding process for said digital 
information received from said first entity; wherein 
said first entity performs a decryption process, cor- io 
responding to said first encryption, for said digital 
information received from said second entity and 
transmits the decrypted digital information to said 
second entity; and wherein said second entity per- 
forms a decryption process, corresponding to said is 
second encryption, for said digital information re- 
ceived from said first entity. 



38. An electronic watermark method according to claim 

36, wherein, before performing said electronic wa- 20 
termark embedding process, said first entity uses 

an anonymous public key having a certificate that 
is issued by a verification office to examine a signa- 
ture included with said second entity. 

25 

39. An electronic watermark method according to claim 

37, wherein, before performing said electronic wa- 
termark embedding process, said first entity uses 
an anonymous public key having a certificate that 

is issued by a verification office to examine a signa- 30 
ture included with said second entity. 

40. An electronic watermark method according to claim 

36, wherein said electronic watermark embedding 
process performed by said first entity is a process 35 
for embedding information concerning said second 
entity. 

41. An electronic watermark method according to claim 

37, wherein said electronic watermark embedding 40 
process performed by said first entity is a process 

for embedding information concerning said second 
entity. 

42. An electronic watermark method according to claim 4 $ 

36, wherein said electronic watermark embedding 
process performed by said first entity is a process 
for embedding information concerning digital infor- 
mation to be transmitted. 

50 

43. An electronic watermark method according to claim 

37, wherein said electronic watermark embedding 
process performed by said first entity is a process 
for embedding information concerning digital infor- 
mation to be transmitted. 55 

44. An electronic watermark method according to claim 
36, wherein said electronic watermark embedding 



process performed by said second entity is a proc- 
ess for embedding information that only said sec- 
ond entity is capable of creating. 

45. An electronic watermark method according to claim 
37, wherein said electronic watermark embedding 
process performed by said second entity is a proc- 
ess for embedding information, that only said sec- 
ond entity is capable of creating. ■„ 

46. An electronic information distribution system, which 
includes a plurality of entities and exchanges infor- 
mation across a network, wherein at least one of 
said plurality of entities includes encryption means 
and electronic watermark embedding means, and 
wherein said electronic watermark embedding 
means performs an electronic watermark embed- 
ding process for information at least before or after 
said encryption means encrypts said information. 

47. An electronic information distribution system, which 
includes a plurality of entities and exchanges infor- 
mation across a network, wherein of said plurality 
of entities one entity for receiving information in- 
cludes electronic watermark embedding means for 
performing an electronic watermark embedding 
process for received information. 

48. An electronic information distribution system, which 
includes a plurality of entities and exchanges infor- 
mation across a network, wherein one of said plu- 
rality of entities includes encryption means and 
electronic watermark embedding means, and an- 
other entity includes means for employing a one- 
way compression function to examine at the least 
the legality either of an encryption process per- 
formed by said encryption means, or of an electron- 
ic watermark embedding process performed by said 
electronic watermark embedding means. 

49. An electronic information distribution system, which 
includes a plurality of entities and exchanges infor- 
mation across a network, wherein said plurality of 
entities includes a first entity having first encryption 
means and first electronic watermark embedding 
means, and a second entity having second encryp- 
tion means and second electronic watermark em- 
bedding means: wherein said first electronic water- 
mark embedding means performs at the least an 
electronic watermark embedding process for digital 
information before or after said first encryption 
means encrypts said information: and wherein sec- 
ond electronic watermark embedding means per- 
forms at the least an electronic watermark embed- 
ding process for said information received from said 
first entity before or after said second encryption 
means encrypts said digital information. 



50 
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50. An electronic information distribution system, which 
includes a plurality of entities and exchanges infor- 
mation across a network, wherein said plurality of 
entities includes at the least first and second entities 
for exchanging digital information; wherein said first 
entity includes first encryption means, first electron- 
ic watermark embedding means for performing an 
electronic watermark embedding process for digital 
information before encryption is performed by said 
encryption means, and first decryption means for 
performing decryption, corresponding to said en- 
cryption performed by said first encryption means, 
of digital information received from said second en- 
tity; and wherein a second entity includes second 
encryption means, second electronic watermark 
embedding means for, before encryption is per- 
formed by said second encryption, performing an 
electronic watermark embedding process without 
decrypting said digital information received from 
said first entity, and second decryption means for 
performing decryption, corresponding to said en- 
cryption performed by said second encryption 
means : of said digital information received from 
said first entity. 

51. An electronic information distribution system ac- 
cording to claim 49, wherein, before performing said 
electronic watermark embedding process, said first 
entity uses an anonymous public key having a cer- 
tificate that is issued by a verification office to ex- 
amine a signature included with said second entity. 

52. An electronic information distribution system ac- 
cording to claim 50 : wherein, before performing said 
electronic watermark embedding process, said first 
entity uses an anonymous public key having a cer- 
tificate that is issued by a verification office to ex- 
amine a signature included with said second entity. 

53. An electronic information distribution system ac- 
cording to claim 49, wherein said first electronic wa- 
termark embedding process is a process for em- 
bedding information concerning said second entity. 

54. An electronic information distribution system ac- 
cording to claim 50, wherein said first electronic wa- 
termark embedding process is a process for em- 
bedding information concerning said second entity. 

55. An electronic information distribution system ac- 
cording to claim 49 : wherein said first electronic wa- 
termark embedding means embeds information 
concerning digital information to be transmitted. 

56. An electronic information distribution system ac- 
cording to claim 50, wherein said first electronic wa- 
termark embedding means embeds information 
concerning digital information to be transmitted. 
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57. An electronic information distribution system ac- 
cording to claim 49, wherein said second electronic 
watermark embedding means embeds information 
that only said second entity is capable of creating. 

58. An electronic information distribution system ac- 
cording to claim 50, wherein said second electronic 
watermark embedding means embeds information 
that only said second entity is capable of creating. 

59. An image file apparatus for storing image informa- 
tion with electronic watermark information and in- 
formation for examining the legality of said electron- 
ic watermark information. 

60. An image file apparatus according to claim 59, 
wherein information for examining said legality con- 
stitutes a one-way compression function. 



20 61. An image file apparatus according to claim 59, 
wherein said electronic watermark information is in- 
formation that is encrypted with said image informa- 
tion, and that is decrypted with said image informa- 
tion. 

25 

62. An image file apparatus according to claim 60, 
wherein said one-way compression function is used 
to transform said encrypted image information and 
said electronic watermark information. 

30 

63. An electronic watermark system for embedding 
electronic watermark information comprising: 

means, or an entity, for examining the legality 
35 of either an encryption process or of an elec- 

tronic watermark embedding process at the 
least; and 

means, or an entity, for performing said encryp- 
tion process and said electronic watermark em- 
40 bedding process. 

64. An electronic watermark system according to claim 

63, wherein said means for examining said legality 
is provided for a third entity, which is furnished sep- 

45 arately from a first entity that includes means for 
performing said encryption process and said elec- 
tronic watermark embedding process for informa- 
tion, and a second entity, for receiving from said first 
entity encrypted information in which an electronic 

50 watermark has been embedded. 

65. An electronic watermark system according to claim 

64, wherein said first entity is provided at an infor- 
mation reception side, and transmits said encrypted 

55 information in which said electronic watermark has 
been embedded to said second entity at an infor- 
mation provision side. 
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66. An electronic watermark system according to claim 
65, wherein said first entity employs a one-way 
compression function to transform said encrypted 
information in which an electronic watermark has 
been embedded, and to output the obtained value 5 
together with said encrypted information in which 
said electronic watermark has been embedded. 




cording to claim 73, wherein said entity for examin- 
ing said legality is an entity for managing an encryp- 
tion key. 

75. An electronic information distribution method, for 
the exchange of digital information by a first entity 
and a second entity, comprising the steps of: 



67. An electronic watermark system according to claim 

66, wherein said first entity transmits to said third io 
entity a value obtained by transformation using said 
one-way compression function. 

68. An electronic watermark system according to claim 

64, wherein said third entity is capable of performing is 
a decryption process corresponding to said encryp- 
tion process. 

69. An electronic watermark system according to claim 

64, wherein said first entity receives primarily en- 20 
crypted information in advance, and performs a 
secondary encryption process and an electronic 
watermark embedding process for said primarily 
encrypted information. 

25 

70. An electronic watermark system for embedding an 
electronic watermark, wherein an entity for manag- 
ing an encryption key includes means for examining 
the legality of electronic watermark information. 

30 

71. An electronic watermark system according to claim 

70, wherein, in order to examine said legality of said 
electronic watermark and said encryption process, 
said entity decrypts encrypted information in which 

an electronic watermark has been embedded and 35 
that is output by a different entity. 

72. An electronic watermark system according to claim 

71 , wherein, in order to examine said legality of said 
electronic watermark and said encryption process, *o 
said entity compares a value that is obtained by us- 
ing a one-way compression function to transform 
said encrypted information in which said electronic 
watermark is embedded and that is output by said 
different entity with a value that is output by said 45 
different entity. 

73. An electronic information distribution system com- 
prising: 

50 

an entity for performing at least an encryption 
process and an electronic watermark embed- 
ding process for digital information; and 
an entity for at the least examining the legality 
of either said encryption process or said elec- 55 
tronic watermark embedding process. 

74. An electronic information distribution system ac- 



(a) said first entity at the least embedding elec- 
tronic watermark information in said digital in- 
formation either before or after a first encryption 
process, and transmitting the obtained digital 
information to said second entity; 

(b) at the least, either before or after a second 
encryption process, said second entity embed- 
ding electronic watermark information in said 
digital information received from said first entity, 
and transmitting the obtained digital informa- 
tion to a third entity; and 

(c) said third entity examining the legality of 
said electronic watermark information that has 
been embedded, and notifying said first entity 
of the result of the examination. 

76. An electronic information distribution method, for 
the exchange of digital information by a first entity 
and a second entity, comprising the steps of: 

(a) said first entity embedding electronic water- 
mark information in said digital information be- 
fore a first encryption process, and transmitting 
the obtained information to said second entity; 

(b) before a second encryption process, said 
second entity embedding electronic watermark 
information in said information received from 
said first entity, and transmitting the obtained 
information .to a third entity; 

(c) said third entity examining the legality of 
said electronic watermark information that is 
embedded, and transmitting the result and the 
information received from said second entity to 
said first entity; 

(d) said first entity performing a decryption 
process, corresponding to said first encryption 
process, for said information received from said 
second entity, and transmitting to said second 
entity the thus obtained first decrypted informa- 
tion; 

(e) said second entity performing a second de- 
cryption process, corresponding to said second 
encryption process, for said first decrypted in- 
formation received from said first entity. 

77. An electronic information distribution method ac- 
cording to claim 75 : wherein said electronic water- 
mark information embedded by said first entity in- 
cludes information concerning said second entity. 
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78. An electronic information distribution method ac- 
cording to claim 76, wherein said electronic water- 
mark information embedded by said first entity in- 
cludes information concerning said second entity. 

79. An electronic information distribution method ac- 
cording to claim 75, wherein said electronic water- 
mark information embedded by said first entity in- 
cludes information concerning digital information to 
be transmitted. 

80. An electronic information distribution method ac- 
cording to claim 76, wherein said electronic water- 
mark information embedded by said first entity in- 
cludes information concerning digital information to 
be transmitted. 

81. An electronic information distribution method ac- 
cording to claim 75 : wherein said electronic water- 
mark information embedded by said second entity 
is information that only said second entity is capable 
of creating. 

82. An electronic information distribution method ac- 
cording to claim 76, wherein said electronic water- 
mark information embedded by said second entity 
is information that only said second entity is capable 
of creating. 

83. An electronic information distribution method ac- 
cording to claim 75, wherein, before embedding 
said electronic watermark, said first entity examines 
a signature of said second entity by using an anon- 
ymous public key having a certificate that is issued 
by a verification office. 

84. An electronic information distribution method ac- 
cording to claim 76, wherein, before embedding 
said electronic watermark, said first entity examines 
a signature of said second entity by using an anon- 
ymous public key having a certificate that is issued 
by a verification office. 

85. An image file apparatus for storing, in addition to 
image information to which electronic watermark in- 
formation has been added, key information for en- 
crypting said image information, and a one-way 
compression function for transforming said image 
information. 

86. An image file apparatus according to claim 85, 
wherein said electronic watermark information is in- 
formation that is encrypted using said image infor- 
mation and is decrypted using said image informa- 
tion. 

87. A cryptography method comprising the steps of: 
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(a) calculating second data using first data en- 
crypted by a public key encryption method; and 

(b) decrypting third data that is obtained in or- 
der to accomplish the decryption of said first da- 

s ta and the signing of said second data. 

88. A cryptography method according to claim 87, 
wherein said first data are encrypted image data, 
and image data in which an electronic watermark 

10 has been embedded are obtained by decrypting 
said third data. 

89. A cryptography method according to claim 87, 
wherein said first data are data obtained by the sec- 

15 ondary encryption, using said public key encryption 
method, of primary encrypted information. 

90. A cryptography method for the exchange of digital 
information at least by a first entity and a second 

2Q entity of a plurality of entities, comprising the steps 
of: 

(a) said first entity calculating second data us- 
ing first data, which is encrypted using a public 

25 key belonging to said second entity, and trans- 

mitting the third data that is obtained to said 
second entity: and 

(b) said second entity employing a self owned- 
secret key to decrypt said third data received 

30 from said first entity, and implementing the de- 

cryption of said first data and the signing of said 
second data. 

91 . A cryptography method, which is used for a network 
35 that includes a plurality of entities, wherein, for the 

exchange of digital information at least between a 
first entity and a second entity of a plurality of enti- 
ties, said second entity employs a self -owned public 
key to encrypt said first data that have been encrypt - 

40 ed using a public key belonging to said first entity, 
and transmits the resultant first data to said first en- 
tity; wherein said first entity employs a self-owned 
secret key to decrypt said first data received from 
said second entity, performs calculations with sec- 

45 ond data using the decrypted first data to obtain 
third data, and transmits said third data to said sec- 
ond entity: and wherein said second entity employs 
a self-owned secret key to decrypt said third data 
received from said first entity, and implements the 

50 decryption of said first data and the signing of said 
second data. 

92. A cryptography method according to claim 90, 
wherein said first entity provides information, and 

55 said second entity receives information. 

93. A cryptography method according to claim 91 , 
wherein said first entity provides information; and 
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said second entity receives information. 

94. A cryptography method according to claim 87, 
wherein cryptography is performed using a public 
key method for which RSA cryptography is em- 5 
ployed. 

95. A cryptography method according to claim 90, 
wherein cryptography is performed using a public 
key method for which RSA cryptography is em- 
ployed. 

96. A cryptography method according to claim 91, 
wherein cryptography is performed using a public 
key method for which RSA cryptography is em- 
ployed. 



101. An electronic information distribution system ac- 
cording to claim 97, wherein said first entity supplies 
information and said second entity receives infor- 
mation. 

102. An electronic information distribution system ac- 
cording toclaim 98 : wherein said first entity supplies 
information and said second entity receives infor- 
mation. 

103. An electronic information distribution system ac- 
cording to claim 97, wherein said first data are im- 
age data and said second data are electronic wa- 
termark information. 

104. An electronic information distribution system ac- 
cording to claim 98, wherein said first data are im- 
age data and said second data are electronic wa- 
termark information. 

105. A storage medium storing processor implementa- 
ble instructions for controlling a processor to carry 
out the method of any one of claims 1 to 10, 25 to 
45, 75 to 84 or 87 to 96. 

106. An electric signal carrying processor implementa- 
ble insructions for controlling a processor to carry 
out the method of any one of claims 1 to 10,-25 to 
45, 75 to 84, or 87 to 96. 



97. An electronic information distribution system, which 
includes a plurality of entities and exchanges digital 
information across a network, wherein said plurality 20 
of entities includes at least a first and a second en- 
tity for exchanging digital information; wherein said 
first entity includes calculation means for perform- 
ing calculations with second data using said first da- 
ta that are encrypted by employing a public key be- 25 
longing to said second entity, and for obtaining third 
data: and wherein said second entity includes de- 
cryption means for using a self -owned secret key to 
decrypt said third data received from said first entity. 

30 

98. An electronic information distribution system, which 
includes a plurality of entities and exchanges digital 
information across a network, wherein said plurality 
of entities include at least a first and a second entity 

for exchanging digital information: wherein said first 35 
entity includes first encryption means for encrypting 
first data using a self-owned public key, first decryp- 
tion means for using a self-owned secret key to de- 
crypt first data received from said second entity, and 
calculation means that, to obtain third data, per- 40 
forms calculations with second data using said first 
data decrypted by said first decryption means: and 
wherein said second entity includes second encryp- 
tion means for using a self-owned public key to en- 
crypt said first data that are encrypted by said first 4 $ 
encryption means of said first entity, and second de- 
cryption means for using a self -owned secret key to 
decrypt said third data received from said first entity. 

99. An electronic information distribution system ac- 50 
cording to claim 97, wherein a public key cryptog- 
raphy method using RSA cryptography is em- 
ployed. 

100. An electronic information distribution system ac- 55 
cording to claim 98, wherein a public key cryptog- 
raphy method using RSA cryptography is em- 
ployed. 
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